Docker recently released Docker Scout, a tool for scanning images for security vulnerabilities. I tried it out while working on a task to improve my project’s security score and found it very useful. Here’s how you can use it to identify security vulnerabilities.
Use docker scout cves.
There are a few different subcommands under docker scout, but I found the cves command to be the most immediately helpful when tracking down insecure packages.
The command accepts any image name, so you can use locally built images or pull one from a remote repository.
This is a small snippet of the output I got when scanning the node:18.16.0 image:
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves node:18.16.0
INFO New version 0.22.3 available (installed version is 0.16.1)
✓ Pulled
✓ Image stored for indexing
✓ Indexed 773 packages
✗ Detected 37 vulnerable packages with a total of 94 vulnerabilities
0C 1H 0M 1L postgresql-15 15.3-0+deb12u1
pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12
✗ HIGH CVE-2023-39417
https://scout.docker.com/v/CVE-2023-39417
Affected range : >=15.3-0+deb12u1
Fixed version : not fixed
✗ LOW CVE-2023-39418
https://scout.docker.com/v/CVE-2023-39418
Affected range : >=15.3-0+deb12u1
Fixed version : not fixed
0C 0H 3M 0L linux 6.1.27-1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12
✗ MEDIUM CVE-2020-15802
https://scout.docker.com/v/CVE-2020-15802
Affected range : >=6.1.15-1
Fixed version : not fixed
✗ MEDIUM CVE-2022-38096
https://scout.docker.com/v/CVE-2022-38096
Affected range : >=6.1.15-1
Fixed version : not fixed
✗ MEDIUM CVE-2020-26555
https://scout.docker.com/v/CVE-2020-26555
Affected range : >=6.1.15-1
Fixed version : not fixed
95 vulnerabilities found in 37 packages
UNSPECIFIED 3
LOW 83
MEDIUM 6
HIGH 3
CRITICAL 0
The command lists out all packages with vulnerabilities and provides links to the relevant CVE. It also includes details about the affected versions and fixed versions when applicable. The output can be a little overwhelming, but some really useful flags can help you process all the information.
Show vulnerable package locations.
I found --locations to be the most useful flag. I was experimenting with Scout because my Azure container scan was reporting a vulnerability with semver that I was having trouble finding in the image, and the --locations flag immediately helped me spot it:
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves --locations node:18.16.0
INFO New version 0.22.3 available (installed version is 0.16.1)
✓ Pulled
✓ SBOM of image already cached, 773 packages indexed
✗ Detected 37 vulnerable packages with a total of 94 vulnerabilities
0C 0H 1M 0L semver 7.3.8
pkg:npm/[email protected]
7: sha256:b8e86fd77190e3a8cdb02b2e99e07b3eafd41a686b44cec2234ec25e57a3eef0
/usr/local/lib/node_modules/npm/node_modules/semver/package.json
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : >=7.0.0
: <7.5.2
Fixed version : 7.5.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Unfortunately, you still have to search through the output for the package name, but the extra output from the --locations flag helped me figure out that this version of semver came from the base image and was not a package we had installed.
Limit the list of vulnerabilities.
You can also use --only-fixed together with --only-severity to limit the list of vulnerabilities that are printed out. This can be helpful when you have a lot of vulnerabilities and a limited amount of time to address them since it lets you focus on the highest-risk vulnerabilities that are actually fixable.
kelsey@Kelseys-MacBook-Pro ~ % docker scout cves --only-fixed --only-severity high node:18.16.0
INFO New version 0.22.3 available (installed version is 0.16.1)
✓ Pulled
✓ SBOM of image already cached, 773 packages indexed
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
0C 1H 0M 0L libx11 2:1.8.4-2
pkg:deb/debian/libx11@2:1.8.4-2?os_distro=bookworm&os_name=debian&os_version=12
✗ HIGH CVE-2023-3138
https://scout.docker.com/v/CVE-2023-3138
Affected range : <2:1.8.4-2+deb12u1
Fixed version : 2:1.8.4-2+deb12u1
0C 1H 0M 0L libxml2 2.9.14+dfsg-1.2
pkg:deb/debian/[email protected]+dfsg-1.2?os_distro=bookworm&os_name=debian&os_version=12
✗ HIGH CVE-2022-2309
https://scout.docker.com/v/CVE-2022-2309
Affected range : <2.9.14+dfsg-1.3~deb12u1
Fixed version : 2.9.14+dfsg-1.3~deb12u1
2 vulnerabilities found in 2 packages
LOW 0
MEDIUM 0
HIGH 2
CRITICAL 0
What’s next for Docker Scout?
I anticipate using docker scout a lot in the future. Security scans in CI/CD pipelines usually have a long feedback loop since they typically require building the application and running the entire test suite before even beginning the container scanning step. docker scout cves provides quick feedback in your local environment so you can determine if you have resolved a vulnerability before pushing your changes and waiting for the full scan results.