Image Security Scanner
Scan and secure Docker images for production deployment.
Quick Start
Scan an image:
docker scan myapp:latest # or trivy image myapp:latest
Instructions
Step 1: Choose Scanning Tool
Docker Scan (built-in):
docker scan myapp:latest
Trivy (comprehensive):
trivy image myapp:latest
Grype (fast):
grype myapp:latest
Snyk (detailed):
snyk container test myapp:latest
Step 2: Run Security Scan
Basic scan:
docker scan myapp:latest
Detailed scan with Trivy:
trivy image --severity HIGH,CRITICAL myapp:latest
Scan with JSON output:
trivy image -f json -o results.json myapp:latest
Step 3: Analyze Results
Review findings by severity:
- •CRITICAL: Immediate action required
- •HIGH: Fix soon
- •MEDIUM: Plan to fix
- •LOW: Monitor
Common vulnerabilities:
- •Outdated base image
- •Vulnerable packages
- •Known CVEs
- •Misconfigurations
Step 4: Fix Vulnerabilities
Update base image:
# Before FROM node:18-alpine3.17 # After FROM node:18-alpine3.18
Update packages:
RUN apk upgrade --no-cache # or RUN apt-get update && apt-get upgrade -y
Remove vulnerable packages:
RUN apk del vulnerable-package
Use distroless for minimal attack surface:
FROM gcr.io/distroless/nodejs18-debian11
Step 5: Implement Security Best Practices
Run as non-root:
USER nobody # or RUN adduser -D appuser USER appuser
Remove unnecessary tools:
RUN apk del apk-tools
Use read-only filesystem:
# In docker-compose or k8s read_only: true
Add security labels:
LABEL security.scan-date="2024-01-15" LABEL security.scanner="trivy"
Step 6: Verify Fixes
Re-scan after fixes:
docker build -t myapp:latest . trivy image myapp:latest
Compare before/after:
# Before: 15 HIGH, 5 CRITICAL # After: 2 HIGH, 0 CRITICAL
Scanning Patterns
CI/CD Integration:
# GitHub Actions
- name: Scan image
run: |
docker build -t myapp:${{ github.sha }} .
trivy image --exit-code 1 --severity CRITICAL myapp:${{ github.sha }}
Pre-deployment scan:
#!/bin/bash IMAGE=$1 trivy image --severity HIGH,CRITICAL $IMAGE if [ $? -ne 0 ]; then echo "Security vulnerabilities found!" exit 1 fi
Scheduled scans:
# Cron job to scan running images 0 2 * * * trivy image --severity HIGH,CRITICAL $(docker images -q)
Security Hardening
Minimal base image:
FROM alpine:3.18 # or FROM gcr.io/distroless/static-debian11
No secrets in image:
# Bad ENV API_KEY=secret123 # Good # Pass at runtime docker run -e API_KEY=$API_KEY myapp
Health checks:
HEALTHCHECK --interval=30s --timeout=3s \ CMD curl -f http://localhost:8080/health || exit 1
Limit capabilities:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp
Common Vulnerabilities
Outdated base image:
# Vulnerable FROM node:16-alpine # Fixed FROM node:18-alpine3.18
Exposed secrets:
# Vulnerable COPY .env . # Fixed # Use runtime secrets
Running as root:
# Vulnerable CMD ["node", "server.js"] # Fixed USER node CMD ["node", "server.js"]
Unnecessary packages:
# Vulnerable RUN apk add curl wget git vim # Fixed RUN apk add --no-cache curl
Scanning Tools Comparison
Docker Scan:
- •Built into Docker
- •Uses Snyk backend
- •Easy to use
- •Limited free scans
Trivy:
- •Open source
- •Fast and accurate
- •Multiple output formats
- •CI/CD friendly
Grype:
- •Open source
- •Very fast
- •Good accuracy
- •Simple CLI
Snyk:
- •Commercial (free tier)
- •Detailed reports
- •Fix recommendations
- •IDE integration
Advanced
For production deployments:
- •Implement image signing
- •Use admission controllers
- •Set up continuous scanning
- •Monitor runtime security
- •Implement security policies