Docker Image Security in 5 Minutes or Less

Updated post as of May, 2022

Containerized software has become the de facto choice for new development with a recent survey showing that over 80% of organizations claim they will increase container adoption over the next 24 months.

While container adoption can ease the development process and increase velocity, it also has the potential to increase an organization’s attack surface and make it susceptible to vulnerabilities. With developers now using both proprietary and open source components in their container environments, visibility into software containers and their dependencies is paramount to securing Docker images and ultimately avoid data breaches.

An SBOM, or a Software Bill of Materials, is a vital tool for securing the software supply chain. Used by both security and development teams alike, SBOMs provide visibility into all the components in a container image, including both direct and transitive dependencies. They can be used to identify vulnerabilities and risks such as misconfigurations and embedded secrets so teams can quickly locate and remediate issues before they reach runtime and continue to monitor for new vulnerabilities post-deployment.

In this blog post, we’ll show you how you can easily get started generating docker SBOMs and analyzing them for vulnerabilities using the open source projects Syft and Grype, maintained by Anchore.

Shifting Docker Image Security Left

Getting started with comprehensive Docker image security is easy to do with Syft and Grype. These projects are lightweight, flexible, and stateless command line tools for developers that make it possible to generate a Software Bill of Materials (SBOM) from container images and analyze that SBOM  for vulnerabilities.

First, you start by running Syft to generate an SBOM to identify all of your components including dependencies, package details, and filesystem metadata plus malware and risks like secrets and misconfigurations. This level of granularity will make sure you are identifying and accurately matching any potential vulnerabilities.

Once that SBOM is generated, it can be fed into Grype which will scan it for vulnerabilities. Re-analyzing images on a regular basis to identify newly discovered vulnerabilities is fast and easy because you only need to generate one SBOM for each version of an image. This is particularly useful in the event of a zero-day, when time is of the essence and you don’t have a minute to spare rescanning your environment from scratch.

Using Syft and Grype for Docker Image Analysis

Generating an SBOM

Step 1: Download & Install Syft

Go to the Syft releases page and download the latest version of Syft or follow installation instructions for your system here.

Step 2: Generate SBOM

Run Syft against your Docker image to output a comprehensive SBOM:

syft <docker image>

You will see an output similar to this:

$ syft debian:10

 ✔ Pulled image

 ✔ Loaded image

 ✔ Parsed image

 ✔ Cataloged packages      [91 packages]


NAME                    VERSION                  TYPE

adduser                 3.118                    deb

apt                     1.8.2.3                  deb

base-files              10.3+deb10u12            deb

base-passwd             3.5.46                   deb

bash                    5.0-4                    deb

…

Step 3: Save Your SBOM

You can easily generate an SBOM and save it in multiple formats depending on your needs by following the steps outlined here. For this example we’ll use JSON using the -o json config.

Finding Vulnerabilities

Step 1: Download & Install Grype

Go to the Grype releases page and download the latest version of Grype or follow installation instructions for your system here.

Step 2: Generate a Vulnerability Report

You can pipe an SBOM file directly from Syft into Grype:

syft <yourimage>:tag -o json | grype

Or scan an existing SBOM

Grype sbom:path/to/sbom.json

You will see an output similar to this:

 $ grype sbom:./debian_10_SBOM.json

 ✔ Vulnerability DB        [updated]

 ✔ Loaded image

 ✔ Parsed image

 ✔ Cataloged packages      [91 packages]

 ✔ Scanned image           [137 vulnerabilities]

 

NAME            INSTALLED            FIXED-IN      TYPE  VULNERABILITY     SEVERITY

apt             1.8.2.3                            deb   CVE-2011-3374     Negligible

bash            5.0-4                              deb   CVE-2019-18276    Negligible

bsdutils        1:2.33.1-0.1                       deb   CVE-2022-0563     Negligible

bsdutils        1:2.33.1-0.1        (won't fix)    deb   CVE-2021-37600    Low

coreutils       8.30-3              (won't fix)    deb   CVE-2016-2781     Low

…

Note: To output the vulnerability report as a file, follow the config options here.

Grype uses multiple vulnerability data sources to optimize vulnerability matching and reduce noise from false positives so that developers don’t waste as much time when fixing vulnerabilities in their Docker images.

Docker Image Security at Scale

While conducting scans of Docker images is quick and easy, automating such scans and implementing Docker image security best practices at scale across multiple teams and applications requires an enterprise-level solution that goes beyond what Syft and Grype provide. Anchore Enterprise adds powerful functionality to the intuitive features of Syft and Grype. With features such as SBOM Management, policy and compliance controls and global reporting and notifications, Anchore Enterprise helps organizations secure their entire software supply chain.

Conclusion

It is critically important for developers to know exactly what is inside a software container before using it and to enforce company-wide policy and compliance regulations throughout the build process. Using simple image analysis tools, like Syft and Grype are a great way to get up and running quickly and easily with Docker image security before graduating to an enterprise level, overall software supply chain management solution like Anchore Enterprise. By using Anchore, you can know more about the building blocks used in your applications and prepare for the ever growing industry best practices that are quickly becoming standards and mandates.