Docker Community Forums

Share and learn in the Docker community.

Pass docker security scanning

(Paulskinnerac) #1

I have used a variety of base images and none of my images seem to pass the security scanner. Even a simple image based on a recent Ubuntu base image fails the security scanner.

Can anyone give me some tips on how to get my images to pass security scanning?

(Ziontech) #2

Chasing a 100% score might be hard and maybe pointless, personally I think its worth looking through the security scan results and considering whether your application actually uses any of the components that are vulnerable and even if it does whether the attack vector exists in your application.

E.g. Many of the vulnerable components in our images are components like Libv8, except we only use Libv8 to compress our assets during build time, during runtime we don’t use Libv8 so any attack vectors resting on access to Libv8 are relatively safe to ignore.

The important things to pay attention to are services your publicly exposing, or components used by those services.
E.g. If you were exposing a PHP application on port 80 that took images and processed them using ImageMagick then it would be extra important that we pay attention to the security scanners results for both PHP, ImageMagick and any libraries that ImageMagick depends upon (libpng, etc).

I’m not saying don’t pay attention to the results, it can be hard to know for example that say libpng internally uses another library which itself is vulnerable, but I’m saying its certainly worth looking through the vulnerabilities and assessing them as to whether or not they apply to your application.

Hope this helps!

(Paulskinnerac) #3

It makes me wish they would kill the security scanning or make it an enterprise feature.

If you have a team of 5 developers building a website, you have better things to do then spending an hour a week patching software vonurabilities that aren’t yet fixed in your Linux distribution.

If the security scanning could tell me if the bug has been exploited in the wild to hack sites, that would be of some use to smaller teams. Otherwise it’s just fear mongering and taking my focus away from building a really usable world class site.

(Mpechnerle) #4

There are new CVE’s daily. Yup, someone needs to evaluate them. Need to spend time on it daily. Ignoring them gets you an equifax situation.