Docker Community Forums

Share and learn in the Docker community.

Best Practices With Security Scanning Docker Images

Hello,

I have a use case to provide a ready custom Kali Linux Docker Image on demand. To make things efficient I use Jenkins to pull the Dockerfile, build it, and push it to our container registry. However, I have been asked to try and verify the security posture of the image itself as well.

So, I installed and integrated anchore plugin, the engine, and etc. into Jenkins and verified it works which it does. The problem I have now is:

Distro-specific feed data not found for distro namespace: kali:2021.3. Cannot perform CVE scan OS/distro packages","warn",false,"48e6f7d6-1765-11e8-b5f9-8b6f228548b6"]]}},"policy_data":[],"policy_name":"","whitelist_data":[],"whitelist_names":[]}

Basically, after the security scan using anchore there are no vulnerabilities listed because it looks like Kali Linux OS is not a recognized Linux distribution. I do know the image packages are being inventoried so anchore does seem to be working and what makes things worse is Kali Linux is based off a supported Debian stable OS.

I am just wondering if anybody can provide me some tips such as how to force anchore to use Stable Debian as the OS or if there are better tools out there?

Many Thanks,
Joe