I couldn’t specifically tell from the docs even though I tried to be specific. I’m looking for just a blanket statement answer on what docker scout offers. Does it scan the image layers, or what is within those layers?
For instance, If I used a windowsservercore base image, and that windowservercore image somehow had a vulnerability in whichever image database, I understand that would flag as a vulnerability. That seems fairly obvious. However, If i used that base and then put some kind of software into the image, the next layer would be some command to put whatever software into the overall image.
Suppose that software has a vulnerability associated with it, would it flag? Maybe instead of a package i do something really useless, just for the same of an example, and I just drop a nuget package somewhere on the image, that has a vulnerability. How would or could it detect vulnerabilities in either of these examples?
TL;DR, I’m trying to identify if docker scout scans image base layers, or scans what is within the images. Hope that’s a clear question…
Yes, Docker Scout scans layer by layer, and indicates in which layer the vulnerabilities are introduced, so long as they remain within the final image (Like in a case where you fix a vulnerability at a later stage)
Thanks for the quick response to probably a basic question. I was just trying to wrap my head around how it could possibly identify said vulnerabilities. Like, a package just sitting on a machine, a specific dll just being in some folder on the image? I can’t seem to wrap my head around the how it would be able to reliably detect them. the other vulnerability detection software we use, for instance, requires a specific execution towards a code solution. I’m just trying to reliably be able to answer the question on how it scans what things you install INTO the image (that becomes a layer). Thanks for your patience.
How would it know a package was installed, for instance? If i built a set of code onto the machine, there might be a target I could supply to scout for it to scan, but without doing that, could it really just scan every file and somehow identify by package name or something that a package was a vulnerability?
It is a software composition analysis tool that creates a sbom, which it then compares entry by entry against vulnerability databases.
On Linux the sbom usually covers os package versions, and dependencies of programming languages. It is not able to find any vulnerabilities in self build applications through verification. But it will find vulnerable dependencies.
I am not sure if or how the sbom is created on Windows images.
Docker Scout scans not only the base image layer but also every additional layer you add. This includes any software, libraries, or files introduced at different stages, as long as they’re identifiable against known vulnerabilities in the database.
Thanks for the answer all - the specifics were a little too ambiguous for me so I was really trying to identify how it could possibly do “all” the scanning, but I think what I would need to do is run install CycloneDX and generate an SBOM directly based on a solution build, to detect the stuff we build, but after the image is created (remove CycloneDX + SBOM from image before push), run docker scout on the created image.