Docker Image Scanning
Identify vulnerabilities before deployment.
Docker Scout (Built-in)
# Analyze image
docker scout cves myimage:latest
# Get recommendations
docker scout recommendations myimage:latest
# Quickview summary
docker scout quickview myimage:latest
# Compare images
docker scout compare myimage:v1 myimage:v2
# SBOM (Software Bill of Materials)
docker scout sbom myimage:latestTrivy (Open Source)
# Install
brew install trivy # macOS
sudo apt install trivy # Debian/Ubuntu
# Scan image
trivy image myimage:latest
# Scan with severity filter
trivy image --severity HIGH,CRITICAL myimage:latest
# Output as JSON
trivy image -f json -o results.json myimage:latest
# Scan filesystem (for CI)
trivy fs --security-checks vuln,config .Grype
# Install
brew install grype
# Scan image
grype myimage:latest
# Fail on severity
grype myimage:latest --fail-on highCI/CD Integration
GitHub Actions
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: myimage:latest
severity: 'CRITICAL,HIGH'
exit-code: '1'GitLab CI
scan:
stage: security
script:
- trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHASBOM Generation
# Generate with Syft
syft myimage:latest -o json > sbom.json
# Generate with Docker
docker sbom myimage:latest
# Scan SBOM for vulnerabilities
grype sbom:./sbom.jsonRemediation
# View fix versions
trivy image --severity HIGH,CRITICAL myimage:latest
# Update base image
# Dockerfile
FROM node:20.10.0-alpine3.19 # Latest patched version
# Rebuild and rescan
docker build -t myimage:latest .
trivy image myimage:latestScanning Workflow
#!/bin/bash
set -e
IMAGE="myimage:latest"
echo "Building image..."
docker build -t $IMAGE .
echo "Scanning for vulnerabilities..."
trivy image --exit-code 1 --severity CRITICAL $IMAGE
echo "Generating SBOM..."
syft $IMAGE -o json > sbom.json
echo "Image passed security scan"Best Practices
- Scan in CI/CD - Before pushing to registry
- Block critical CVEs - Fail build on critical
- Use allowlists - For false positives
- Update base images - Regularly rebuild
- Generate SBOMs - For supply chain security
- docker
- security
- scanning
- vulnerabilities
- CVE