HxHippy

Image Scanning

Scan Docker images for vulnerabilities and security issues.

Last updated: 2025-01-15

Docker Image Scanning

Identify vulnerabilities before deployment.

Docker Scout (Built-in)

# Analyze image
docker scout cves myimage:latest

# Get recommendations
docker scout recommendations myimage:latest

# Quickview summary
docker scout quickview myimage:latest

# Compare images
docker scout compare myimage:v1 myimage:v2

# SBOM (Software Bill of Materials)
docker scout sbom myimage:latest

Trivy (Open Source)

# Install
brew install trivy  # macOS
sudo apt install trivy  # Debian/Ubuntu

# Scan image
trivy image myimage:latest

# Scan with severity filter
trivy image --severity HIGH,CRITICAL myimage:latest

# Output as JSON
trivy image -f json -o results.json myimage:latest

# Scan filesystem (for CI)
trivy fs --security-checks vuln,config .

Grype

# Install
brew install grype

# Scan image
grype myimage:latest

# Fail on severity
grype myimage:latest --fail-on high

CI/CD Integration

GitHub Actions

- name: Scan image
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: myimage:latest
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

GitLab CI

scan:
  stage: security
  script:
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

SBOM Generation

# Generate with Syft
syft myimage:latest -o json > sbom.json

# Generate with Docker
docker sbom myimage:latest

# Scan SBOM for vulnerabilities
grype sbom:./sbom.json

Remediation

# View fix versions
trivy image --severity HIGH,CRITICAL myimage:latest

# Update base image
# Dockerfile
FROM node:20.10.0-alpine3.19  # Latest patched version

# Rebuild and rescan
docker build -t myimage:latest .
trivy image myimage:latest

Scanning Workflow

#!/bin/bash
set -e

IMAGE="myimage:latest"

echo "Building image..."
docker build -t $IMAGE .

echo "Scanning for vulnerabilities..."
trivy image --exit-code 1 --severity CRITICAL $IMAGE

echo "Generating SBOM..."
syft $IMAGE -o json > sbom.json

echo "Image passed security scan"

Best Practices

  1. Scan in CI/CD - Before pushing to registry
  2. Block critical CVEs - Fail build on critical
  3. Use allowlists - For false positives
  4. Update base images - Regularly rebuild
  5. Generate SBOMs - For supply chain security
intermediate Security Updated 2025-01-15
  • docker
  • security
  • scanning
  • vulnerabilities
  • CVE