A lot of people think that Docker images and containers are secure by default. Unfortunately, this is not the case. There are quite a few things that affect the security of your Docker images. Whether it is packages installed in the image, libraries used by your application, or even the base image — all these components might make your application vulnerable.
NOTE! 70% of global organizations will be running containers in production by 2023 - Gartner
With security-related issues, it’s always better to be proactive and try to avoid vulnerabilities before they become an actual problem. The easiest way to find vulnerabilities in the image and monitor continuously potential security issues is to run an inspection against them using tools like “Snyk”.
Snyk is a tool that can help you find known vulnerabilities in open source libraries. It can identify vulnerable packages in the image through a comprehensive vulnerability database, provide accurate insight into vulnerabilities, and monitor your image.
- Enriched data from over 10 databases (Such as CVE, NVD, and more).
- Dedicated proprietary research for new vulnerabilities
- Threat Intelligence systems
This includes many additional non-CVE vulnerabilities that are derived from several sources.
The great thing with Snyk is that you don’t need to sync security feeds locally. You can send all data straight to Snyk servers and get results back quickly.
Installing Snyk CLI Tool
The Snyk CLI requires you to authenticate with your account before using it. After you have registered an account in Snyk you can install the CLI tool.
For Mac OSx and Linux users, you can use Homebrew.
Ensure Homebrew has already been installed.
brew tap snyk/tap brew install snyk
When using a Windows environment, you can use the Scoop package manager.
Ensure Scoop has already been installed.
scoop bucket add snyk https://github.com/snyk/scoop-snyk scoop install snyk
When using the Node package manager, ensure you’ve installed npm on your local environment, version 8 or greater.
npm install -g snyk
Once installed, you need to authenticate your Snyk account. There are two ways to do this, either via a browser or by passing an argument through the CLI. If you do not pass the API token through the command line, a browser tab opens and redirects you to authenticate.
NB! If the prompted redirect doesn’t authenticate you correctly then look for an API token argument which you can retrieve from your account page:
snyk auth [token]
Running the Scan Locally against an Image
To test for vulnerabilities and to receive relevant details use:
snyk test --docker myapp:mytag
To test the image, receive details, and receive base image remediation advice for your Dockerfile, use:
snyk test --docker myapp:mytag --file=path/to/Dockerfile
The scan searches for operating system packages according to the relevant package manager.
Upon writing this article, the latest Node image results may surprise you: 412 dependencies for known issues, found 634 issues.
The severity of each vulnerability is mentioned and if there is a fix available you’ll see remediation advice for it. If you pass your image’s Dockerfile as an argument it will analyze the base image that is being used and when vulnerabilities are found it will recommend an alternative base image to minimize security issues.
NOTE! 44% of docker image vulnerabilities can be fixed with a newer base image. - Snyk
After fixing all of the issues, you can continuously monitor and rerun scans manually or automatically on your Docker image which will alert you on a daily or weekly basis on newly disclosed vulnerabilities.
Monitoring Your Image Continuously
You can monitor your image for vulnerabilities, receive details and get remediation advice for your Dockerfile by importing a snapshot to Snyk UI for continuous monitoring.
snyk monitor --docker myapp:mytag --file=path/to/Dockerfile
Docker scanning (testing) and monitoring are available via the CLI and UI. Developers can run 100 tests per month on the free tier plan, and unlimited tests with other plans.
When you import to Snyk it will not import the image or contents itself, but rather a snapshot of the project dependencies. This means that if any new vulnerabilities are found, you can be alerted instantly.
Securing your docker container is not an easy task, but Snyk helps you make your container secure pretty easily. It doesn’t matter if you are a newcomer or a power user. Rich dashboards and filters in the UI help you understand what is going on inside your container. Recently Docker made a press-release where they announced a partnership between Docker and Snyk. This will hopefully mean more secure images in the future!