Docker Community Forums

Share and learn in the Docker community.

Does docker vulnerability scan code artifact or dependencies?

Hi All,
I’m new to docker and looking into docker hub Vulnerability scanning for windows Docker images. Planning to use docker hub Vulnerability scanning during the build process. Can someone please help me with the below questions?
1)How does the docker hub scan code for vulnerabilities, and what does it scan in images(code artifacts/dependencies)?
2)What kind of data does docker hub upload to their servers? Just metadata or code artifact?

I can respond partialy to your first question, but have only experience with scanning linux images. Though, I would be surprised if the approach would be any different for Windows images.

Docker uses snyk under the hood, which to my knowledge creates “fingerprints” of binaries and libraries and matches them against entities of the CVE database. This is a purely static analysis. This is why it does not work for each and every base image (e.g. even though it works for ubuntu, it might not work with an ubuntu fork).