With the latest Docker Desktop 4.17 release, the Docker team introduced Docker Scout. Docker Scout is a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.
There are various security tools available today in the market. While there are similarities and differences between all tools of this nature, Docker Scout stands out by offering both visibility into the dependencies called in specific layers of the images, and remediation options directly in existing developer workflows. Particularly, Advanced image analysis not only lets you analyze the vulnerabilities in your dependencies but also provides you with remediation options that help you to act quickly.
If a vulnerability is present in the base image, Docker Scout will check for any updated or patched base images and make recommendations to replace the base image. If a vulnerability is present in other layers, Docker Scout will indicate exactly where the vulnerability is introduced, and make recommendations accordingly.
Docker Scout is designed with developers in mind and integrated into Docker. With Docker Scout, spend less time searching for and fixing vulnerabilities, and more time developing your code. Docker is building Docker Scout to sit as a layer on top of the Docker ecosystem to help developers build and maintain a secure software supply chain. Right now, Docker is focussed on helping with vulnerability remediation; we think our CVE-to-package matching (using PURLs to help avoid false positives) and our SBOM-to-CVEdb matching (no need to rescan) are both nice improvements to the current Developer experience.
What problem does it solve?
- In-Context Remediation Recommendations
- Understanding your applications’ dependencies & analyzing the vulnerabilities
- Unified view into software composition analysis
- Artifactory Integration
- Event-driven vulnerability updates
Docker Scout analyzes the image contents and generates a detailed report of packages and vulnerabilities that it detects. It provides you with suggestions for how you can remediate issues discovered by the image analysis. It also allows you to get base image updates and recommended tags and digests, and filter your images on vulnerability information.
Docker Scout helps you to understand your applications’ dependencies in each layer of your images, whether they’re in your base image or your application code. You can now assess the vulnerabilities presented in each dependency by layer, prioritized by severity.
With one view, your application’s direct and transitive dependencies from all layers are visible. This layer-based view not only makes remediation next steps clear, it also builds understanding of image composition.
Docker Scout allows you to pull and view analysis for images from Docker Hub and Artifactory repositories. Integrating Docker Scout with JFrog Artifactory lets you run image analysis automatically on images in your Artifactory registries. This integration is made possible by a monitoring agent. The agent is a standalone service that analyzes images and uploads the result to Docker Scout. You can view the results using the Docker Scout web UI.
Powered with Docker Scout, vulnerabilities are detected and surfaced on a continuous basis by the event-driven data model. When a new CVE is released, Docker Scout uses your image’s SBOM to check whether there’s a positive correlation between your image and your CVE – so your recommendations are always up to date.
Please note that Docker Scout is an early-access product, and requires a Pro, Team, or Business subscription.
- Docker Desktop 4.17
- Requires a Pro, Team, or Business subscription
- Enable Docker Scout on Docker Hub
- Login to https://hub.docker.com
- Choose the organization that contains the repository with the image(s) you want to analyse.
- Select a repo, and open the "Settings" tab.
- Under "Image insight settings", choose "Advanced image analysis with Docker Scout."
- View your image analysis.
Using the CLI, you can analyze images and view the analysis report in text format. You can print the results directly to stdout, or export them to a file using a structured format, such as Static Analysis Results Interchange Format (SARIF).
docker scout Usage: docker scout COMMAND Command line tool for Docker Scout Commands: compare [early preview] Compare two images and display differences cves Display CVEs identified in a software artifact quickview Quick overview of an image recommendations Display available base image updates and remediation recommendations version Show Docker Scout version information Run 'docker scout COMMAND --help' for more information on a command. ajeetsraina@Ajeets-MacBook-Pro ~ %
docker scout version version: v0.6.0 (go1.19.5 - darwin/arm64) git commit: aabe2bfd192f7ac8cbfa4afea647b4dc41d3d30d
docker scout cves command analyzes a software artifact for vulnerabilities. The tool analyzes the provided software artifact, and generates a vulnerability report.
Usage: docker scout cves [OPTIONS] IMAGE|DIRECTORY|ARCHIVE
The following artifact types are supported:
- OCI layout directories
- Tarball archives, as created by docker save
The tool analyzes the provided software artifact and generates a vulnerability report. By default, the tool expects an image reference, such as:
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.
docker scout cves redis Analyzing image redis ✓ Pulled ✓ Image stored for indexing ✓ Indexed 144 packages ✗ Detected 19 vulnerable packages with a total of 56 vulnerabilities 0C 16H 4M 1L stdlib 1.18.2 pkg:email@example.com ✗ HIGH CVE-2022-30580 [Improper Control of Generation of Code ('Code Injection')] https://dso.docker.com/cve/CVE-2022-30580 Affected range : >=1.18.0 : <1.18.3 Fixed version : 1.18.3 CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ... ... The image contains 19 packages with one or more vulnerabilities for a total of 50 vulnerabilities LOW | 28 MEDIUM | 4 HIGH | 18 CRITICAL | 0
$ docker save redis > redis.tar
docker scout cves --type archive redis.tar Analyzing archive redis.tar ✓ Archive read ✓ Image stored for indexing ✓ Indexed 144 packages ✗ Detected 19 vulnerable packages with a total of 56 vulnerabilities 0C 16H 4M 1L stdlib 1.18.2 pkg:firstname.lastname@example.org ✗ HIGH CVE-2022-30580 [Improper Control of Generation of Code ('Code Injection')] https://dso.docker.com/cve/CVE-2022-30580 Affected range : >=1.18.0 : <1.18.3 Fixed version : 1.18.3 CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H .... ... The image contains 19 packages with one or more vulnerability for a total of 50 vulnerabilities LOW | 28 MEDIUM | 4 HIGH | 18 CRITICAL | 0
$ skopeo copy --override-os linux docker://alpine oci:redis
skopeo copy --override-os linux docker://alpine oci:redis Getting image source signatures Copying blob af6eaf76a39c done Copying config 62aab729a2 done Writing manifest to image destination Storing signatures
docker scout cves --type oci-dir redis Analyzing OCI directory redis ✓ OCI directory read ✓ Image stored for indexing ✓ Indexed 19 packages ✓ No vulnerable package detected
$ docker scout cves --format sarif --output redis.sarif.json redis
Comparing two images
The new docker scout CLI allows you to compare two images and display packages and vulnerabilities differences. This command is in Early Access and might change in the future.
The docker scout compare command analyzes two images and display a comparison of both.
docker scout compare --to redis:6.0 redis:6-bullseye WARN 'docker scout compare' is in early preview and its behaviour might change in the future ✓ Pulled ✓ Pulled ✓ Image stored for indexing ✓ Indexed 144 packages ✓ Image stored for indexing ✓ Indexed 144 packages ## Overview │ Analyzed Image │ Comparison Image ────────────────────┼────────────────────────────────────┼───────────────────────────────────── Image reference │ redis:6-bullseye │ redis:6.0 vulnerabilities │ 0C 23H 5M 25L 5? │ 0C 23H 5M 25L 5? │ │ │ │ Base image │ debian:11-slim │ debian:11-slim tags │ also known as │ also known as │ • 11.6-slim │ • 11.6-slim │ • bullseye-20230411-slim │ • bullseye-20230411-slim │ • bullseye-slim │ • bullseye-slim vulnerabilities │ 0C 0H 0M 23L 1? │ 0C 0H 0M 23L 1? ## Packages ⎌ 1 packages changed (↑ 1 upgraded, ↓ 0 downgraded) 143 packages unchanged Package Type Version Compared version ────────────────────────────────────────────────────── ↑ redis generic 6.2.12 6.0.19 help: + added | ↑ upgraded | ⎌ updated | ↓ downgraded | - removed ## Vulnerabilities Severity ID ─────────────────────── help: - removed | + added
Displaying the Quick Overview of an Image
The docker scout quickview command displays a quick overview of an image. It displays a summary of the vulnerabilities in the image and the one specifically in the base image. If available it also displays base image refresh and update recommendations.
docker scout quickview redis:6.0 ✓ Pulled ✓ SBOM of image already cached, 144 packages indexed Your image redis:6.0 │ 0C 23H 5M 25L 5? Base image debian:11-slim │ 0C 0H 0M 23L 1? Updated base image debian:stable-slim │ 0C 0H 0M 23L 1? │
Display available base image updates and remediation recommendations
Docker Scout CLI now displays base image update and remediation recommendations using
docker scout recommendations. The
docker scout recommendations command display recommendations for base images updates. It analyzes the image and display recommendations to refresh or update the base image. For each recommendation it shows a list of benefits like less vulnerabilities, smaller image, etc.
The following artifact types are supported:
- OCI layout directories
- Tarball archives, as created by
The tool analyzes the provided software artifact, and generates base image updates and remediation recommendations.
docker scout recommendations redis:6.0 ✓ Pulled ✓ SBOM of image already cached, 144 packages indexed Recommended fixes for image redis:6.0 Base image is debian:11-slim Name │ bullseye-20230411-slim Digest │ sha256:c115e796a6013213e61112da62f6da7f0a3390df894ade3434d0784f56b292cf Vulnerabilities │ 0C 0H 0M 23L 1? Pushed │ 1 week ago Size │ 30 MB Packages │ 139 Flavor │ debian OS │ 11 Slim │ ✓ │ The base image is also available under the supported tag(s) 11.6-slim , bullseye-20230411-slim , bullseye-slim . If you want to display │ recommendations specifically for a different tag, please re-run the command using the --tag flag. Refresh base image Rebuild the image using a newer base image version. Updating this may result in breaking changes. ✓ This image version is up to date. Change base image Select the tag you would like to see recommendations for. The list displays new recommended tags in descending order, where the top results are rated as most suitable. Tag │ Details │ Pushed │ Vulnerabilities ─────────────────────────┼────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────── stable-slim │ Benefits: │ 1 week ago │ 0C 0H 0M 23L 1? Tag is preferred tag │ • Same OS detected │ │ Also known as: │ • Tag is preferred tag │ │ • stable-20230411-slim │ • Tag was pushed more recently │ │ │ • Image has similar size │ │ │ • Image has same number of vulnerabilities │ │ │ • Image contains equal number of packages │ │ │ • Tag is a Debian slim │ │ │ • stable-slim is the 7th most popular tag with 46K pulls per month │ │ │ │ │ │ Image details: │ │ │ • Size: 30 MB │ │ │ • Flavor: debian │ │ │ • OS: 11 │ │ │ • Slim: ✓ │ │ │ │ │ │ │ │ │ │ │ 11 │ Benefits: │ 1 week ago │ 0C 0H 0M 23L 1? Tag is latest │ • Same OS detected │ │ Also known as: │ • Tag is latest │ │ • 11.6 │ • Image has same number of vulnerabilities │ │ • bullseye │ • Image contains equal number of packages │ │ • bullseye-20230411 │ • 11 is the fifth most popular tag with 72K pulls per month │ │ • latest │ │ │ │ Image details: │ │ │ • Size: 54 MB │ │ │ • Flavor: debian │ │ │ • OS: 11 │ │ │ │ │ │ │ │ │