Hi,

Docker sent out an email recently about transitioning providers for vulnerability scanning. To say it was light on details would be an understatement. The “third party” it refers to is Snyk I assume? The “documentation” linked from the email doesn’t even appear to acknowledge the change, let alone provide any details.

Vulnerability scanning is kind of a serious feature. The lack of information is this announcement leaves me little alternative than to assume this will effectively be a downgrade for users, and the lack of detail is intended to obscure that being the case.

This communication (or rather lack thereof) is a stellar display of the ineptitude that makes it difficult to promote the use of Docker Hub in an organization without looking silly. Do better please Docker.

Thank you.

I don’t recall having received such an email. Can you share the subject and date of the email?

If I remember right, Dockerhub started using Synk somewhere around October 2020.
So if you recently received an email about transitioning providers for vulnerability scanning, it would mean moving away from Snyk…

The docs still indicate that Synk is used. These type of changes are usually accompanied by announcement blog posts.

Note: I am not a Docker employee.

Hi @garymoon I work as a part of DevRel Team at Docker. Would love to forward your message to the concerned team. I have DM’ed you via chat and would be great if you can forward me the email that you received. We are here to help you in case of any concern.

Hi meyay and ajeetraina,

Thanks for your responses. My apologies for not posting the original email, it didn’t occur to me that not everyone would be receiving it. I’ve attached a screenshot below.

In addition to my previous points of frustration, I’ll note that I received the email at both my work and personal email addresses on the date of the transition (Feb 24), which is obviously absurd, and that the “view online” link at the top doesn’t work (I can’t post with more than one attachment, but this is the link).

@ajeetraina I don’t seem to have any DMs. Please let me know if the screenshot isn’t sufficient and I’ll work on getting you a forwarded copy.

Thanks,
Gary.

docker-vuln-scanning-email|100%622×1074 144 KB

@garymoon, thanks to your post, I started to look at my daylie quarantine reports and found the mail.

It indeed feels rushed, as ink in the email that points to the documentation do not reflect the change. The mention third-party must be Synk.

The mail indicates that vulnerability scanning is now based on Atomist and not just scans the os-pakages, but also performs dependency scanning (I assume for package managers like maven/gradle, npm, nuget or others).

I am surprised that I dind’t find a blog post announcing this change.

“Rushed” implies we were notified some amount of time ahead of the change. This situation wouldn’t be acceptable for a free security-oriented feature, let alone one we pay for.

Hi @garymoon If you scroll down the recently uploaded Docker Scout page Docker Scout: Container Vulnerability Scanning for Developers | Docker page, you will find FAQ that clearly states:

Will I still be able to use other security tools, such as Snyk, with Docker?

Yes. Docker is committed to supporting developers and their favorite tools and will continue to offer flexible integration whenever possible. Some security tools provide Docker Extensions to make integration even easier.

Hope that helps.

Also, it is important to note that Docker is building Docker Scout to sit as a layer on top of the Docker ecosystem to help developers build and maintain a secure software supply chain. Right now, Docker is focussed on helping with vulnerability remediation; we think our CVE-to-package matching (using PURLs to help avoid false positives) and our SBOM-to-CVEdb matching (no need to rescan) are both nice improvements to the current Developer experience.

Hi @ajeetraina, thanks for the update.

Unfortunately, it’s still missing the point. Docker sent an email on a Friday, notifying users of a security-oriented change of that had already taken place, without sufficient detail to so much as determine what was changing. Paying users were left to their own devices to figure out WTF was happening and how it impacted them. After some sleuthing it turns out Docker is replacing (or rather, had already replaced) a de-facto standard security tool (all references to which have now been scrubbed with “third-party”, which is just embarassing) with a similar offering from a recent acquisition. Not only was documentation not updated to reflect the replacement, let alone provide any detail about what might change, but there is also no standalone doc material on the replacement tool. The best Docker can apparently offer after the fact is a link to documentation for a feature I’ve never heard of indicating that I can do what I used to pay Docker to do for me myself. Fan-freakin-tastic.

It’s now been 5 days since the change was made known to me, and I still have no idea how it impacts me.

I’ve worked in this industry for almost twenty years, for companies both much larger and much smaller than Docker, and I cannot even begin to fathom how they managed to bungle this so completely

I think I understand your point. I don’t know the reason why it was handled like this and I will not attempt to figure it out. Docker could have a reason which we might never know. All I can do is trying to give you more information based on what I know.

I know that there was a blog post about the acquisition of Atomist last year:

but it didn’t mention replacing Snyk.

When I first saw your post days ago and searched for Atomist, I could also find it in the documentation of Docker. I can still find the following URLs in my browser history:

https://docs.docker.com/atomist/
https://www.docker.com/products/atomist/

Now the first redirects to https://docs.docker.com/scout/
and the second is to https://www.docker.com/products/docker-scout/

So it was renamed since then, but it still must be atomist possibly changed, integrated more into Docker’s ecosystem.

To be honest I have never heard of Atomist before either. I must have missed the blog post too at that time, so I can understand what you feel.

On the other hand, I don’t think it would be a downgrade in Docker Hub as you mentioned in your first post. The whole story of my presence here on forums.docker.com started with the need of trying the vulnerability scanning about one and a half years ago. I think I was not sure what was behind the GUI or at least didn’t care. I believe Docker would not downgrade an existing and important feature (unless there is no other way for some reason) as it would affect many users. So I guess you will still get the same features. The question is how good Atomist (Docker Scout) will be at scanning compared to Snyk and I am sure this is why you think understandably that it should have been ccommunicated better so yo can make your decision whether you trust in it or not as you probably knew Snyk before started to pay for Docker Hub’s vulnerability scanning.

At this point we can only test Docker Scout, make a decision now and hope future changes will be made with better communication.

Since I have a PRO account and for me it does not really matter what is resposible for the vulnerability scanning, I will definitely keep it.

In your case, can you share what you expect from Docker Hub’s vulnerability scanning and what you would consider a “downgrade”? If you can share that Someone from Docker or anyone who has an answer could try to help you make your decision.

Thanks for your reply rimelek, sorry I missed it.

To be clear, I’m already a paying customer, having recommended Docker Hub to my employer, and Docker’s complete ignorance of how to interact with customers is now egg on my face.

In your case, can you share what you expect from Docker Hub’s vulnerability scanning and what you would consider a “downgrade”? If you can share that Someone from Docker or anyone who has an answer could try to help you make your decision.

I think we might still be missing the point. A paid Docker subscription should be subtracting from the time I have to spend thinking about Docker. I’ll add some emphasis to a quote block of yours below to illustrate my point. Note that this is in no way a criticism of you or your words, but rather a criticism of Docker for leaving so much uncertainty around…everything.

On the other hand, I don’t think it would be a downgrade in Docker Hub as you mentioned in your first post. The whole story of my presence here on forums.docker.com started with the need of trying the vulnerability scanning about one and a half years ago. I think I was not sure what was behind the GUI or at least didn’t care. I believe Docker would not downgrade an existing and important feature (unless there is no other way for some reason) as it would affect many users. So I guess you will still get the same features. The question is how good Atomist (Docker Scout) will be at scanning compared to Snyk and I am sure this is why you think understandably that it should have been ccommunicated better so yo can make your decision whether you trust in it or not as you probably knew Snyk before started to pay for Docker Hub’s vulnerability scanning.

We just…don’t know anything

The reason I popped over today was because I saved this thread from HN a couple of days ago. At least these poor people got some notice I guess? I’ll post the first couple top-level comments below. It’s a relief to find I’m far from the only one utterly perplexed by Docker’s inability to communicate.

#1

Whats phenomenal about this so far is that the email does not indicate:

    - what actually will happen to teams that don't become paid
    - what will get deleted on which timeline
    - whether others will be able to typosquat the images after the teams get deleted
    - how folks might handle cases where a team is owned by an oss org and has no central billing thing (fairly common)
    - how we might better handle bot users as part of paid teams

Also great is that the only way I’d know this was going on is by checking my email - I quickly went to their blog to look and didn’t find anything relating to this email.

If anything, I’d want to convert my teams (dokku and gliderlabs) back to single accounts, but there doesn’t seem to be a way to do that.

I get that there is a need to make the company profitable but maybe spend more than 5 minutes crafting the email and thinking of outcomes for your users (who are already pissed at your pricing changes). This only makes me feel like I should move my hosting to something paid (ECR?), delete the org, and then typosquat the images.

#2

Utterly confusing messaging from Docker once again, and this is from a prior advocate for early Docker, and part of their Captains program for several years.

The wording seems clear that they are going to delete all data and lock access unless payment is received within 30 days, whether there are public or private repos in the organisation.

I pay for a personal account, however my main concern is people taking over the official account names and publishing poison images which people are used to pulling already, and won’t even think to check if the account ownership has changed.

I’ve asked the CTO to comment on Twitter.

https://twitter.com/alexellisuk/status/1635679295891812359?s…

(Naturally there appears to be no reply on Twitter.)

#3

Docker: We’re making 100 million/year in revenue and everyone is treating us as the trusted place to work with docker images–we’re a huge success!

“For our next act, let’s hold their images hostage and threaten to kill them in 30 days unless they pay a ransom!”

I mean, it’s ok to hate your users, but maybe just don’t make it so obvious?

People who work in comms/marketing/c-level at Docker:

If it matters, Docker is learning

I understood you, but this is a community forum and I am a community member, so I am thinking as such and trying to learn from your opinions which might point out something that would affect others, maybe even me so I can do some research to find out if it will happen. You can see from my words that you emphasized that “I believe”, but I may be wrong. Docker could have released the initial scanning feature without telling us what is behind it (let’s imagine the contract would have allowed it) and change it later. From my point of view the most important thing is to get the same feature. If I get that, I don’t care what is behind it. Snyk has a well-known name and we knew very well that it was behind the vulnerability scanning and this is what changes how we judge the change of the feature. If Snyk changes anything in its own product, the most of us probably think it is an improvement.

So I get that it was not communicated well, but we can’t change that. We can only ask for more information and clarification which you did here! And all I can do is offer my help to get more, but it is easier if I have a specific question to ask or search for. Of course I understand if you dont want to “think more about Docker” on your busy days. In that case, I just which you have a nice day and thank you for sharing your opinion and questions in a civilized way!