Docker recently released Docker Scout, a tool for scanning images for security vulnerabilities. I tried it out while working on a task to improve my project’s security score and found it very useful. Here’s how you can use it to identify security vulnerabilities.
Use docker scout cves.
There are a few different subcommands under
docker scout, but I found the
cves command to be the most immediately helpful when tracking down insecure packages.
The command accepts any image name, so you can use locally built images or pull one from a remote repository.
This is a small snippet of the output I got when scanning the
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves node:18.16.0 INFO New version 0.22.3 available (installed version is 0.16.1) ✓ Pulled ✓ Image stored for indexing ✓ Indexed 773 packages ✗ Detected 37 vulnerable packages with a total of 94 vulnerabilities 0C 1H 0M 1L postgresql-15 15.3-0+deb12u1 pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 ✗ HIGH CVE-2023-39417 https://scout.docker.com/v/CVE-2023-39417 Affected range : >=15.3-0+deb12u1 Fixed version : not fixed ✗ LOW CVE-2023-39418 https://scout.docker.com/v/CVE-2023-39418 Affected range : >=15.3-0+deb12u1 Fixed version : not fixed 0C 0H 3M 0L linux 6.1.27-1 pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 ✗ MEDIUM CVE-2020-15802 https://scout.docker.com/v/CVE-2020-15802 Affected range : >=6.1.15-1 Fixed version : not fixed ✗ MEDIUM CVE-2022-38096 https://scout.docker.com/v/CVE-2022-38096 Affected range : >=6.1.15-1 Fixed version : not fixed ✗ MEDIUM CVE-2020-26555 https://scout.docker.com/v/CVE-2020-26555 Affected range : >=6.1.15-1 Fixed version : not fixed 95 vulnerabilities found in 37 packages UNSPECIFIED 3 LOW 83 MEDIUM 6 HIGH 3 CRITICAL 0
The command lists out all packages with vulnerabilities and provides links to the relevant CVE. It also includes details about the affected versions and fixed versions when applicable. The output can be a little overwhelming, but some really useful flags can help you process all the information.
Show vulnerable package locations.
--locations to be the most useful flag. I was experimenting with Scout because my Azure container scan was reporting a vulnerability with
semver that I was having trouble finding in the image, and the
--locations flag immediately helped me spot it:
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves --locations node:18.16.0 INFO New version 0.22.3 available (installed version is 0.16.1) ✓ Pulled ✓ SBOM of image already cached, 773 packages indexed ✗ Detected 37 vulnerable packages with a total of 94 vulnerabilities 0C 0H 1M 0L semver 7.3.8 pkg:npm/[email protected] 7: sha256:b8e86fd77190e3a8cdb02b2e99e07b3eafd41a686b44cec2234ec25e57a3eef0 /usr/local/lib/node_modules/npm/node_modules/semver/package.json ✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity] https://scout.docker.com/v/CVE-2022-25883 Affected range : >=7.0.0 : <7.5.2 Fixed version : 7.5.2 CVSS Score : 5.3 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Unfortunately, you still have to search through the output for the package name, but the extra output from the
--locations flag helped me figure out that this version of
semver came from the base image and was not a package we had installed.
Limit the list of vulnerabilities.
You can also use
--only-fixed together with
--only-severity to limit the list of vulnerabilities that are printed out. This can be helpful when you have a lot of vulnerabilities and a limited amount of time to address them since it lets you focus on the highest-risk vulnerabilities that are actually fixable.
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves --only-fixed --only-severity high node:18.16.0 INFO New version 0.22.3 available (installed version is 0.16.1) ✓ Pulled ✓ SBOM of image already cached, 773 packages indexed ✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities 0C 1H 0M 0L libx11 2:1.8.4-2 pkg:deb/debian/libx11@2:1.8.4-2?os_distro=bookworm&os_name=debian&os_version=12 ✗ HIGH CVE-2023-3138 https://scout.docker.com/v/CVE-2023-3138 Affected range : <2:1.8.4-2+deb12u1 Fixed version : 2:1.8.4-2+deb12u1 0C 1H 0M 0L libxml2 2.9.14+dfsg-1.2 pkg:deb/debian/[email protected]+dfsg-1.2?os_distro=bookworm&os_name=debian&os_version=12 ✗ HIGH CVE-2022-2309 https://scout.docker.com/v/CVE-2022-2309 Affected range : <2.9.14+dfsg-1.3~deb12u1 Fixed version : 2.9.14+dfsg-1.3~deb12u1 2 vulnerabilities found in 2 packages LOW 0 MEDIUM 0 HIGH 2 CRITICAL 0
What’s next for Docker Scout?
I anticipate using
docker scout a lot in the future. Security scans in CI/CD pipelines usually have a long feedback loop since they typically require building the application and running the entire test suite before even beginning the container scanning step.
docker scout cves provides quick feedback in your local environment so you can determine if you have resolved a vulnerability before pushing your changes and waiting for the full scan results.