A few weeks back we released Docker Security Scanning. The tool formerly known as Nautilus provides binary scanning of images on a layer by layer basis. It then provides teams with the actionable intelligence they need in or to ensure they are leveraging secure base images as they build their applications, helping to secure the application delivery pipeline. The feature is available today as a free preview within Docker Cloud.
Here are some of the most commonly asked questions with answers from the webinar:
Q: How does the scan work exactly? What exactly is being scanned?
A: Docker Security Scanning performs a step before scanning the bits inside the image. First we understand all the layers and the packages contained in each layer. The service scans the binaries inside the packages and compute signatures of the binaries (binary fingerprint) in the image to compare them to the known components and vulnerabilities attached to them. Security Scanning checks not only the name and version of the package but ensures that the bits inside the package are what they say they are.
Q: Is output data only available in Docker Cloud? Or Docker Hub as well?
A: Currently during the free trial period, the results of private repo scans are available to view within Docker Cloud. In the future, the private repo scan results will be made available in Docker Hub as well. For Official Repos, the results are publicly available to view in Docker Hub.
Q: When will this be available for official images?
A: Docker Security Scanning has been available as a tool for Official Repo maintainers since November 2015. As of the May 10th release, the results of the Official Repo image scans are available publicly. To view the results, you will need to be logged in to Docker Hub.
Q: What vulnerability databases are used for the lookup?
A. Docker Security Scanning checks against all of the major CVE databases including Mitre, NVD and others.
Q: Will this be made available on-premises?
A: Yes. We understand that the ability to scan and understand the security profile of images is important for all Docker users. We are currently in the process of making this available for Docker Datacenter customers for on-premises or VPC deployment. In the meantime, users can trial the experience in Docker cloud.
See what Docker Security Scanning customers have to say about their experience!
“After using Docker Security Scanning to inspect our private repo, it became clear to us that the best course of action would be to migrate to a new base image. By using this tool, we can be assured that we are building a secure environment for all of our business-critical Dockerized applications.”
– Ami Goldenberg, Co-Founder and CTO at FairFly
“The output data that we received from the Docker Security Scanning proved to be very valuable to us. This tool is a very effective for reviewing our components and for building a security profile for the images within our scanned private repos. The process is seamless. Our images are scanned from our private repository, hosted within Docker Hub, without having to make any changes to our existing process. Since the tool operates on a binary level, we can trust that all the installed components are scanned.”
– Valentin Chartier, Senior Manager of Cloud Services at HomeByMe-3DVIA, a Dassault Systemes (3DS) company
“The data provided by Docker Security Scanning allows us to focus on the security of the software we write. It gives us the reassurance we need to know that all the underlying container images have been scanned and are safe to use in an enterprise environment.”
– Matthew Rea, Senior Manager of Engineering at Harbortouch
For more information on Docker Cloud, click here or here to view the Docker Cloud datasheet.
Learn More about Docker
- New to Docker? Try our 10 min online tutorial
- Share images, automate builds, and more with a free Docker Hub account
- Read the Docker 1.11 Release Notes
- Subscribe to Docker Weekly
- Sign up for upcoming Docker Online Meetups
- Attend upcoming Docker Meetups
- Register for DockerCon 2016
- Watch DockerCon EU 2015 videos
- Start contributing to Docker