If you want to learn more about application vulnerabilities, and you missed DockerCon 21, you can go here for a recording of the DockerCon LIVE panel on Security, or watch a great session called ‘My Container Image Has 500 Vulnerabilities. And because this is Linux, we have open sourced the scanning CLI plugin… Go ahead, give it a try, or take a look at this page for other Docker open source projects that may help you to build, share and run your applications Directions for installing the Engine are provided in the Install Docker Engine section of Docker documentation, including instructions for several different distros, including CentOS, Debian, Fedora and Ubuntu. The major difference with scanning on Linux is that instead of upgrading your Docker Desktop, you will need to install or upgrade your Docker Engine. Vulnerability reports are also the same, listing for each vulnerability, information about severity levels, the image layers where vulnerabilities are manifested, the exploit maturity and remediation suggestions. Information about the docker scan command, with all the details about the supported flags, is provided in the Vulnerability Scanning for Docker Local Images section in the Docker documentation.
These flags include the options to add Dockerfiles with images submitted for scanning and to specify the minimum severity level for the reported vulnerabilities. The CLI command is the same docker scan, supporting all of the same flags. The experience of scanning on Linux is identical to what we have already launched for Desktop CLI, with scanning support for linux/amd64 (x86-64) Docker images. We are now making another update in our security journey, by bringing “docker scan” to the Docker CLI on Linux. Some of the examples of remediation include recommendations for alternative base images with lower vulnerability counts, or package upgrades that have already resolved the specified vulnerabilities. Vulnerability scan results also provide remediation guidance on things that you can do to remove the reported vulnerabilities.
The earlier in your development that you find these vulnerabilities, the easier and cheaper it is to fix them. We also added a scanning command to the Docker CLI on Docker Desktop for Mac and Windows, so that you can run vulnerability scans for images on your local machine. We incorporated scanning options into the Hub, so that you can configure your repositories to automatically scan all the pushed images.
We worked together with our partner Snyk to include security testing options along multiple points of your inner loop. At the end of last year we launched vulnerability scanning options as part of the Docker platform.
0 kommentar(er)
