| name | image-security-scanner |
| description | Scans Docker images for security vulnerabilities, outdated packages, and misconfigurations. Use when checking image security, finding vulnerabilities, or hardening containers. |
Image Security Scanner
Scan and secure Docker images for production deployment.
Quick Start
Scan an image:
docker scan myapp:latest
# or
trivy image myapp:latest
Instructions
Step 1: Choose Scanning Tool
Docker Scan (built-in):
docker scan myapp:latest
Trivy (comprehensive):
trivy image myapp:latest
Grype (fast):
grype myapp:latest
Snyk (detailed):
snyk container test myapp:latest
Step 2: Run Security Scan
Basic scan:
docker scan myapp:latest
Detailed scan with Trivy:
trivy image --severity HIGH,CRITICAL myapp:latest
Scan with JSON output:
trivy image -f json -o results.json myapp:latest
Step 3: Analyze Results
Review findings by severity:
- CRITICAL: Immediate action required
- HIGH: Fix soon
- MEDIUM: Plan to fix
- LOW: Monitor
Common vulnerabilities:
- Outdated base image
- Vulnerable packages
- Known CVEs
- Misconfigurations
Step 4: Fix Vulnerabilities
Update base image:
# Before
FROM node:18-alpine3.17
# After
FROM node:18-alpine3.18
Update packages:
RUN apk upgrade --no-cache
# or
RUN apt-get update && apt-get upgrade -y
Remove vulnerable packages:
RUN apk del vulnerable-package
Use distroless for minimal attack surface:
FROM gcr.io/distroless/nodejs18-debian11
Step 5: Implement Security Best Practices
Run as non-root:
USER nobody
# or
RUN adduser -D appuser
USER appuser
Remove unnecessary tools:
RUN apk del apk-tools
Use read-only filesystem:
# In docker-compose or k8s
read_only: true
Add security labels:
LABEL security.scan-date="2024-01-15"
LABEL security.scanner="trivy"
Step 6: Verify Fixes
Re-scan after fixes:
docker build -t myapp:latest .
trivy image myapp:latest
Compare before/after:
# Before: 15 HIGH, 5 CRITICAL
# After: 2 HIGH, 0 CRITICAL
Scanning Patterns
CI/CD Integration:
# GitHub Actions
- name: Scan image
run: |
docker build -t myapp:${{ github.sha }} .
trivy image --exit-code 1 --severity CRITICAL myapp:${{ github.sha }}
Pre-deployment scan:
#!/bin/bash
IMAGE=$1
trivy image --severity HIGH,CRITICAL $IMAGE
if [ $? -ne 0 ]; then
echo "Security vulnerabilities found!"
exit 1
fi
Scheduled scans:
# Cron job to scan running images
0 2 * * * trivy image --severity HIGH,CRITICAL $(docker images -q)
Security Hardening
Minimal base image:
FROM alpine:3.18
# or
FROM gcr.io/distroless/static-debian11
No secrets in image:
# Bad
ENV API_KEY=secret123
# Good
# Pass at runtime
docker run -e API_KEY=$API_KEY myapp
Health checks:
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost:8080/health || exit 1
Limit capabilities:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp
Common Vulnerabilities
Outdated base image:
# Vulnerable
FROM node:16-alpine
# Fixed
FROM node:18-alpine3.18
Exposed secrets:
# Vulnerable
COPY .env .
# Fixed
# Use runtime secrets
Running as root:
# Vulnerable
CMD ["node", "server.js"]
# Fixed
USER node
CMD ["node", "server.js"]
Unnecessary packages:
# Vulnerable
RUN apk add curl wget git vim
# Fixed
RUN apk add --no-cache curl
Scanning Tools Comparison
Docker Scan:
- Built into Docker
- Uses Snyk backend
- Easy to use
- Limited free scans
Trivy:
- Open source
- Fast and accurate
- Multiple output formats
- CI/CD friendly
Grype:
- Open source
- Very fast
- Good accuracy
- Simple CLI
Snyk:
- Commercial (free tier)
- Detailed reports
- Fix recommendations
- IDE integration
Advanced
For production deployments:
- Implement image signing
- Use admission controllers
- Set up continuous scanning
- Monitor runtime security
- Implement security policies