How to use the latest docker scan?

How to use the latest docker scan?

Docker Scout, a tool for analyzing image contents and detecting vulnerabilities

What is docker scout?

docker scout is the replacement of the legacy docker scan. Docker Scout analyzes image contents and generates a detailed report of packages and vulnerabilities that it detects. Docker Scout can also help provide you with suggestions for how you can remediate issues discovered by this analysis.

$ docker scan

The  docker scan  command has been removed.                                                                                                                                                                                                                                                                                                                                                                                                                                              
   To continue learning about the vulnerabilities of your images, and many other features, use the new  docker scout  command. Run  docker scout --help , or learn more at https://docs.docker.com/engine/reference/commandline/scout/    


error: docker scan has been removed

public image vulnerabilities can be accessed from the docker Image Vulnerability Database.

Type of docker scout integration?

docker scout can be used with the two below integration methods

  1. Image analysis in the docker hub

  2. Artifactory Integration

Analysis in the docker hub

When you activate Advanced image analysis for a repository, Scout analyzes new tags automatically when you push to that repository. Advanced image analysis is more than point-in-time scanning, the analysis gets reevaluated continuously, meaning you don’t need to re-scan the image to see an updated vulnerability report.

Artifactory Integration

Integrating Docker Scout with JFrog Artifactory lets you run image analysis automatically on images in your Artifactory registries.

To automatically analyze images running in remote environments you need to deploy the Docker Scout Artifactory agent. The agent is a standalone service that analyzes images and uploads the result to Docker Scout. You can view the results using the Docker Scout web UI.

below is the docker desktop artifactory integration

and the public image can be seen on the web UI where any image, package and Vulnerability can be searched for more detailed view.

Docker scout image analysis supports the following package ecosystems:

  • .NET

  • GitHub packages

  • Go

  • Java

  • JavaScript

  • PHP

  • Python

  • RPM

  • Ruby

  • alpm (Arch Linux)

  • apk (Alpine Linux)

  • deb (Debian Linux and derivatives)

Different usage of docker scout

  1. Compare two images and display differences
Examples
  Compare an image to the latest tag
  $ docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre

  Ignore base images
  $ docker scout compare --ignore-base --to namespace/repo:latest namespace/repo:v1.2.3-pre

  Generate a markdown output
  $ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre

  Only compare maven packages and only display critical vulnerabilities for maven packages
  $ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre

comparing two alpine images
docker scout compare --to alpine:latest alpine:3.12

WARN 'docker scout compare' is experimental and its behaviour might change in the future
    ✓ Pulled
    ✓ SBOM of image already cached, 18 packages indexed
    ✓ SBOM of image already cached, 19 packages indexed


  ## Overview

                      │           Analyzed Image           │                             Comparison Image                               
  ────────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────
    Image reference   │  alpine:3.12                       │  sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260   
      vulnerabilities │    1C     0H     0M     0L         │    0C     0H     0M     0L     1?                                          
                      │    +1                          -1  │                                                                            
                      │                                    │                                                                            


  ## Environment Variables


      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin



  ## Packages and Vulnerabilities


    +    3 packages added  
    -    4 packages removed  
    ⎌   13 packages changed (↑ 0 upgraded, ↓ 9 downgraded)  
       2 packages unchanged


    + 1 vulnerability added  
    - 1 vulnerability removed


     Package                 Type  Version      Compared Version  

  ↓  alpine-baselayout       apk   3.2.0-r7     3.4.0-r0          
  -  alpine-baselayout-data  apk                3.4.0-r0          
  ⎌  alpine-keys             apk   2.4-r0       2.4-r1            
  ↓  apk-tools               apk   2.10.8-r1    2.12.10-r1        
  ↓  busybox                 apk   1.31.1-r22   1.35.0-r29        
  -  busybox-binsh           apk                1.35.0-r29        
  ⎌  ca-certificates         apk   20211220-r0  20220614-r4       
  ⎌  ca-certificates-bundle  apk   20211220-r0  20220614-r4       
     libc-dev                apk   0.7.2-r3     0.7.2-r3          
     libc-utils              apk   0.7.2-r3     0.7.2-r3          
  +  libcrypto1.1            apk   1.1.1n-r0                      
  -  libcrypto3              apk                3.0.8-r3          
  +  libssl1.1               apk   1.1.1n-r0                      
  -  libssl3                 apk                3.0.8-r3          
  +  libtls-standalone       apk   2.9.1-r1                       
  ↓  musl                    apk   1.1.24-r10   1.2.3-r4          
  ↓  musl-utils              apk   1.1.24-r10   1.2.3-r4          
  ⎌  openssl                 apk   1.1.1n-r0    3.0.8-r3          
     └─  -  UNSPECIFIED  CVE-2023-1255   [https://dso.docker.com/cve/CVE-2023-1255]   
                         0.0                       

  ↓  pax-utils               apk   1.2.6-r0     1.3.5-r1          
  ↓  scanelf                 apk   1.2.6-r0     1.3.5-r1          
  ↓  ssl_client              apk   1.31.1-r22   1.35.0-r29        
  ↓  zlib                    apk   1.2.12-r0    1.2.13-r0         
     └─  +  CRITICAL     CVE-2022-37434  [https://dso.docker.com/cve/CVE-2022-37434]  
                         9.8  Out-of-bounds Write  
                         ✓ fixed in  1.2.12-r2
  1. Display CVEs identified in a software artifact
    The docker scout cves command analyzes a software artifact for vulnerabilities.

    docker scout cves alpine:latest

  2. Quick overview of an image

    The docker scout quickview command displays a quick overview of an image.

    It displays a summary of the vulnerabilities in the image and the vulnerabilities from the base image.

    If available it also displays base image refresh and update recommendations
    docker scout quickview node:latest

  3. Display available base image updates and remediation recommendations
    The docker scout recommendations command displays recommendations for base image updates.

    It analyzes the image and display recommendations to refresh or update the base image.

    For each recommendation, it shows a list of benefits like fewer vulnerabilities, smaller images, etc.

    docker scout recommendations golang:1.19.4

    Key Takeaways

    • Docker Scout is an early-access product that requires a Docker Pro, Team, or Business subscription.

    • It offers a command line tool for comparing images, displaying CVEs, providing recommendations, and showing version information.

    • Interested organizations can learn more and request access through the contact form on the Docker Scout product page.

Did you find this article valuable?

Support Habibul Ali Shah by becoming a sponsor. Any amount is appreciated!