docker-scout-getstarted

Docker Scout get started

Docker Scout analyzes image contents and generates a detailed report of packages and vulnerabilities that it detects. It can provide you with suggestions for how to remediate issues discovered by image analysis.

This guide takes a vulnerable container image and shows you how to use Docker Scout to identify and fix the vulnerabilities, compare image versions over time, and share the results with your team.

Step 1: Setup

In this example I am using: productmicroservice you can download from myGithub

  1. Clone its repository:
git clone https://github.com/mehzan07/ProductMicroservice-DotNET-Core-Master.git

2. Move into the directory:

cd C:\Utvecklingprogram\Microservices\Microservice-DotNET-Core-Master

3. Build the image, naming it to match the organization you will push it to, and tag it as v1 (default is latest):

Note: you should start Docker desktop before runing the build command.

docker build -t mehzan07/productmicroservice:v1 . -f ./ProductMicroservice/ProductMicroservice/Dockerfile

Step 2: Enable Docker Scout

Docker Scout analyzes all local images by default. To analyze images in remote repositories, you need to enable it first. You can do this from Docker Hub, the Docker Scout Dashboard

  1. Sign in to your Docker account with the docker login command or use the Sign in button in Docker Desktop.
  2. Use the Docker CLI docker scout repo enable command to enable analysis on an existing repository:
docker scout repo enable --org mehzan07 mehzan07/productmicroservice

Then you shall get the followings.

i New version 1.2.2 available (installed version is 1.2.0) at https://github.com/docker/scout-cli
    v Enabled Docker Scout on  mehzan07/productmicroservice

What's Next?
  Manage repositories in the Docker Scout Dashboard → https://scout.docker.com/org/mehzan07/settings/repos

Then you can go to  the url:

https://scout.docker.com/org/mehzan07/settings/repos

see the following:

docker-scout-getstarted-1.png

Step 3: Analyze Image Vulnerabilities

After building, you can use Docker Desktop or the docker scout CLI command to see vulnerabilities detected by Docker Scout.

  1. Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those (by click on the image: productmicroservice)..
  2. Select layer 13 to focus on the vulnerability introduced in that layer.
  3. Toggle the disclosure triangle  next to the  21.47  to see details of the vulnerability.You can also use the Docker CLI to see the same results.
docker scout cves  mehzan07/productmicroservice
x LOW CVE-2022-3219
      https://scout.docker.com/v/CVE-2022-3219
      Affected range : >=2.2.27-2+deb11u2
      Fixed version  : not fixed


   0C     0H     0M     1L  libgcrypt20 1.8.7-6
pkg:deb/debian/libgcrypt20@1.8.7-6?os_distro=bullseye&os_name=debian&os_version=11

    x LOW CVE-2018-6829
      https://scout.docker.com/v/CVE-2018-6829
      Affected range : >=1.8.7-6
      Fixed version  : not fixed


   0C     0H     0M     1L  apt 2.2.4
pkg:deb/debian/apt@2.2.4?os_distro=bullseye&os_name=debian&os_version=11

    x LOW CVE-2011-3374
      https://scout.docker.com/v/CVE-2011-3374
      Affected range : >=2.2.4
      Fixed version  : not fixed


   0C     0H     0M     1L  gnutls28 3.7.1-5+deb11u3
pkg:deb/debian/gnutls28@3.7.1-5+deb11u3?os_distro=bullseye&os_name=debian&os_version=11

    x LOW CVE-2011-3389
      https://scout.docker.com/v/CVE-2011-3389
      Affected range : >=3.7.1-5+deb11u3
      Fixed version  : not fixed


   0C     0H     0M     1L  coreutils 8.32-4+b1
pkg:deb/debian/coreutils@8.32-4+b1?os_distro=bullseye&os_name=debian&os_version=11

    x LOW CVE-2017-18018
      https://scout.docker.com/v/CVE-2017-18018
      Affected range : >=8.32-4
      Fixed version  : not fixed



30 vulnerabilities found in 18 packages
  LOW       27
  MEDIUM    2
  HIGH      0
  CRITICAL  1

Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the advisory database documentation.

docker scout repo enable --org mehzan07 mehzan07/productmicroservice:v2

Step 4: Fix application Vulnerabilities

The fix suggested by Docker Scout is to update the underlying vulnerable System.Drawing.Common 4.6.26919.02

  1. Update the package:<code class="language-bash">System.Drawing.Common  file with the new package version. or not installed install it

I have checked it in Visual studio and found that this package is not installed, then

I have installed it with Manage NuGet to version 8.0.0

first rebuild and run it with Visual Studio

2, Rebuild the image, giving it a new version tag:

docker build -t mehzan07productmicroservice:v2 . -f ./ProductMicroservice/ProductMicroservice/Dockerfile

3.With analyze of image version v2 you see that  this Vulnerability is disappeared.

Push the image to the same repository on Docker Hub using a new version tag:

docker push  mehzan07/productmicroservice:v2

Note: if you got error: denied: requested access to the resource is denied.

Try login to hub or remove the image in the Docker desktop, rebuild and push again.

After push if you look to the docker hub you can see that the vulnerability is disappeared as follow:

docker-scout-getstarted-2.png

you can check also in the docker desktop too.

 

Step 5: Fix Vulnerabilities in base Image

In addition to identifying application vulnerabilities, Docker Scout also helps you identify and fix issues with the base images your images use.

    1. On the Docker hub select the last image (tag:v2)   you can see View Recommended  base image  fixes button in the image layer view.
  2. Select the Recommendations for base image option from the button. In the dialog that appears, select the Change base image tab, the new version of the base image you want to use, and copy the suggestion into your Dockerfile.
  3. Rebuild the image, again with a new tag:v3
docker build -t mehzan07/productmicroservice:v3 . -f ./ProductMicroservice/ProductMicroservice/Dockerfile

Push it to Docker Hub using the new version tag:

docker push  mehzan07/productmicroservice:v2

Select the new image tag in Docker Desktop or the Docker Scout Dashboard and you can see that the base image has been updated, removing many vulnerabilities.

You can see the same using the Docker CLI command:

 docker scout cves mehzan07/productmicroservice:v3

Step 6: Collaborate on Vulnerabilities

You can see and share the same vulnerability information about an image and the other images in your organization in the Docker Scout Dashboard.

All organization members can see an overview of all their images from integrated container registries, and get remediation advice at their fingertips. This helps team members in security, compliance, and operations to know what vulnerabilities and issues to focus on.

  1. Select the Images tab on the Docker Scout Dashboard
  2. Select any of the tags under the Most Recent Image column, and you can see the same vulnerability information as you saw in Docker Desktop and the Docker CLI and share this link with anyone else in your organization.

Step 7: Compare Images

Over time as you build and push new tags of images, you can use the Docker Scout CLI and Dashboard to compare the changes to vulnerabilities and packages in different tags of the same image.

Dashboard: 

On the Docker Scout Dashboard, select the repository to compare from the Images list. In this case, scout-demo.

Choose two of the tags you pushed in the last steps, for example, v1 and v3, and then select Compare images.

The Image comparison view shows you the differences between the two tags. The page’s top part summarizes the two tags, including the differences between vulnerabilities and base image tags.

In the bottom part of the page, you can see the changes in packages and vulnerabilities between the two tags. In the row for “express”, you can see the version change from 4.17.1 to 4.17.3. Switch to the Vulnerabilities tab to see the changes in vulnerabilities between the two tags. You can see that CVE-2022-24999 isn’t present under the v3 tag.

CLI:

Use the docker scout compare command to see the compare two image versions. Pass the image that you want to compare as a positional argument to the command, and specify the base image to compare with using the --to flag.

docker scout compare --to mehzan07/productmicroservice:v1 mehzan07/productmicroservice:v3

Conclusion

In this post we have explored Docker Scout.  How to setup, Docker Scout, how to enable, how to Analyze Image Vulnerabilities, how to Fix application vulnerabilities and how to compare two images with two different tags.

This post is part of  Docker step by step

Back to home page

 

Leave a Reply

Your email address will not be published. Required fields are marked *