1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
<h1>Vulnerability scanning for Docker local images</h1>
<div class="docker-upgrade-cta" role="alert"> <div class="docker-upgrade-cta__heading"> Scan your images for free </div> <p>Did you know that you can now get 10 free scans per month? Sign in to Docker to start scanning your images for vulnerabilities.</p> <a class="btn btn-primary" role="button" href="https://www.docker.com/pricing?utm_source=docker&utm_medium=webreferral&utm_campaign=docs_driven_upgrade_scan" target="_blank"> Sign in </a> </div> <p>Looking to speed up your development cycles? Quickly detect and learn how to remediate CVEs in your images by running <code class="language-plaintext highlighter-rouge">docker scan IMAGE_NAME</code>. Check out <a href="#how-to-scan-images">How to scan images</a> for details.</p> <p>Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.</p> <p>Users trigger vulnerability scans through the CLI, and use the CLI to view the scan results. The scan results contain a list of Common Vulnerabilities and Exposures (CVEs), the sources, such as OS packages and libraries, versions in which they were introduced, and a recommended fixed version (if available) to remediate the CVEs discovered.</p> <blockquote class="important"> <p><strong>Log4j 2 CVE-2021-44228</strong></p> <p>Versions of <code class="language-plaintext highlighter-rouge">docker Scan</code> earlier than <code class="language-plaintext highlighter-rouge">v0.11.0</code> are not able to detect <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" target="_blank" rel="noopener" class="_">Log4j 2 CVE-2021-44228</a>. You must update your Docker Desktop installation to 4.3.1 or higher to fix this issue. For more information, see <a href="#scan-images-for-log4j-2-cve">Scan images for Log4j 2 CVE</a>.</p> </blockquote> <p>For information about the system requirements to run vulnerability scanning, see <a href="#prerequisites">Prerequisites</a>.</p> <p>This page contains information about the <code class="language-plaintext highlighter-rouge">docker scan</code> CLI command. For information about automatically scanning Docker images through Docker Hub, see <a href="https://docs.docker.com/docker-hub/vulnerability-scanning/">Hub Vulnerability Scanning</a>.</p> <h2 id="scan-images-for-log4j-2-cve">Scan images for Log4j 2 CVE</h2> <p>Docker Scan versions earlier than <code class="language-plaintext highlighter-rouge">v0.11.0</code> do not detect <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" target="_blank" rel="noopener" class="_">Log4j 2 CVE-2021-44228</a> when you scan your images for vulnerabilities. You must update your Docker installation to the latest version to fix this issue.</p> <p>If you are using the <code class="language-plaintext highlighter-rouge">docker scan</code> plugin shipped with Docker Desktop, update Docker Desktop to version 4.3.1 or higher. See the release notes for <a href="https://docs.docker.com/desktop/mac/release-notes/">Mac</a> and <a href="https://docs.docker.com/desktop/windows/release-notes/">Windows</a> for download information.</p> <p>If you are using Linux, run the following command to manually install the latest version of <code class="language-plaintext highlighter-rouge">docker scan</code>:</p> <p>On <code class="language-plaintext highlighter-rouge">.deb</code> based distros, such as Ubuntu and Debian:</p> <div class="highlight"><pre class="highlight" data-language="">$ apt-get update && apt-get install docker-scan-plugin
</pre></div> <p>On rpm-based distros, such as CentOS or Fedora:</p> <div class="highlight"><pre class="highlight" data-language="">$ yum install docker-scan-plugin
</pre></div> <p>Alternatively, you can manually download the <code class="language-plaintext highlighter-rouge">docker scan</code> binaries from the <a href="https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0" target="_blank" rel="noopener" class="_">Docker Scan</a> GitHub repository and <a href="https://github.com/docker/scan-cli-plugin" target="_blank" rel="noopener" class="_">install</a> in the plugins directory.</p> <h3 id="verify-the-docker-scan-version">Verify the <code class="language-plaintext highlighter-rouge">docker scan</code> version</h3> <p>After upgrading <code class="language-plaintext highlighter-rouge">docker scan</code>, verify you are running the latest version by running the following command:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --accept-license --version
Version: v0.12.0
Git commit: 1074dd0
Provider: Snyk (1.790.0 (standalone))
</pre></div> <p>If your code output contains <code class="language-plaintext highlighter-rouge">ORGAPACHELOGGINGLOG4J</code>, it is likely that your code is affected by the Log4j 2 CVE-2021-44228 vulnerability. When you run the updated version of <code class="language-plaintext highlighter-rouge">docker scan</code>, you should also see a message in the output log similar to:</p> <div class="highlight"><pre class="highlight" data-language="">Upgrade org.apache.logging.log4j:log4j-core@2.14.0 to org.apache.logging.log4j:log4j-core@2.15.0 to fix
✗ Arbitrary Code Execution (new) [Critical Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.14.0
introduced by org.apache.logging.log4j:log4j-core@2.14.0
</pre></div> <p>For more information, read our blog post <a href="https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/" target="_blank" rel="noopener" class="_">Apache Log4j 2 CVE-2021-44228</a>.</p> <h2 id="how-to-scan-images">How to scan images</h2> <p>The <code class="language-plaintext highlighter-rouge">docker scan</code> command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan hello-world
Testing hello-world...
Organization: docker-desktop-test
Package manager: linux
Project name: docker-image|hello-world
Docker image: hello-world
Licenses: enabled
✓ Tested 0 dependencies for known issues, no vulnerable paths found.
Note that we do not currently have vulnerability data for your image.
</pre></div> <h3 id="get-a-detailed-scan-report">Get a detailed scan report</h3> <p>You can get a detailed scan report about a Docker image by providing the Dockerfile used to create the image. The syntax is <code class="language-plaintext highlighter-rouge">docker scan --file PATH_TO_DOCKERFILE DOCKER_IMAGE</code>.</p> <p>For example, if you apply the option to the <code class="language-plaintext highlighter-rouge">docker-scan</code> test image, it displays the following result:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --file Dockerfile docker-scan:e2e
Testing docker-scan:e2e
...
✗ High severity vulnerability found in perl
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802
Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta
From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6
From: git@1:2.20.1-2+deb10u3 > liberror-perl@0.17027-2 > perl@5.28.1-6
From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6 > perl/perl-modules-5.28@5.28.1-6
and 3 more...
Introduced by your base image (golang:1.14.6)
Organization: docker-desktop-test
Package manager: deb
Target file: Dockerfile
Project name: docker-image|99138c65ebc7
Docker image: 99138c65ebc7
Base image: golang:1.14.6
Licenses: enabled
Tested 200 dependencies for known issues, found 157 issues.
According to our scan, you are currently using the most secure version of the selected base image
</pre></div> <h3 id="excluding-the-base-image">Excluding the base image</h3> <p>When using docker scan with the <code class="language-plaintext highlighter-rouge">--file</code> flag, you can also add the <code class="language-plaintext highlighter-rouge">--exclude-base</code> tag. This excludes the base image (specified in the Dockerfile using the <code class="language-plaintext highlighter-rouge">FROM</code> directive) vulnerabilities from your report. For example:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --file Dockerfile --exclude-base docker-scan:e2e
Testing docker-scan:e2e
...
✗ Medium severity vulnerability found in libidn2/libidn2-0
Description: Improper Input Validation
Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100
Introduced through: iputils/iputils-ping@3:20180629-2+deb10u1, wget@1.20.1-1.1, curl@7.64.0-4+deb10u1, git@1:2.20.1-2+deb10u3
From: iputils/iputils-ping@3:20180629-2+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1
From: wget@1.20.1-1.1 > libidn2/libidn2-0@2.0.5-1+deb10u1
From: curl@7.64.0-4+deb10u1 > curl/libcurl4@7.64.0-4+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1
and 3 more...
Introduced in your Dockerfile by 'RUN apk add -U --no-cache wget tar'
Organization: docker-desktop-test
Package manager: deb
Target file: Dockerfile
Project name: docker-image|99138c65ebc7
Docker image: 99138c65ebc7
Base image: golang:1.14.6
Licenses: enabled
Tested 200 dependencies for known issues, found 16 issues.
</pre></div> <h3 id="viewing-the-json-output">Viewing the JSON output</h3> <p>You can also display the scan result as a JSON output by adding the <code class="language-plaintext highlighter-rouge">--json</code> flag to the command. For example:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --json hello-world
{
"vulnerabilities": [],
"ok": true,
"dependencyCount": 0,
"org": "docker-desktop-test",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.19.0\nignore: {}\npatch: {}\n",
"isPrivate": true,
"licensesPolicy": {
"severities": {},
"orgLicenseRules": {
"AGPL-1.0": {
"licenseType": "AGPL-1.0",
"severity": "high",
"instructions": ""
},
...
"SimPL-2.0": {
"licenseType": "SimPL-2.0",
"severity": "high",
"instructions": ""
}
}
},
"packageManager": "linux",
"ignoreSettings": null,
"docker": {
"baseImageRemediation": {
"code": "SCRATCH_BASE_IMAGE",
"advice": [
{
"message": "Note that we do not currently have vulnerability data for your image.",
"bold": true,
"color": "yellow"
}
]
},
"binariesVulns": {
"issuesData": {},
"affectedPkgs": {}
}
},
"summary": "No known vulnerabilities",
"filesystemPolicy": false,
"uniqueCount": 0,
"projectName": "docker-image|hello-world",
"path": "hello-world"
}
</pre></div> <p>In addition to the <code class="language-plaintext highlighter-rouge">--json</code> flag, you can also use the <code class="language-plaintext highlighter-rouge">--group-issues</code> flag to display a vulnerability only once in the scan report:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --json --group-issues docker-scan:e2e
{
{
"title": "Improper Check for Dropped Privileges",
...
"packageName": "bash",
"language": "linux",
"packageManager": "debian:10",
"description": "## Overview\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\n\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-18276"
],
"CWE": [
"CWE-273"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
...
"from": [
"docker-image|docker-scan@e2e",
"bash@5.0-4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "bash",
"version": "5.0-4"
},
...
"summary": "880 vulnerable dependency paths",
"filesystemPolicy": false,
"filtered": {
"ignore": [],
"patch": []
},
"uniqueCount": 158,
"projectName": "docker-image|docker-scan",
"platform": "linux/amd64",
"path": "docker-scan:e2e"
}
</pre></div> <p>You can find all the sources of the vulnerability in the <code class="language-plaintext highlighter-rouge">from</code> section.</p> <h3 id="checking-the-dependency-tree">Checking the dependency tree</h3> <p>To view the dependency tree of your image, use the --dependency-tree flag. This displays all the dependencies before the scan result. For example:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --dependency-tree debian:buster
$ docker-image|99138c65ebc7 @ latest
├─ ca-certificates @ 20200601~deb10u1
│ └─ openssl @ 1.1.1d-0+deb10u3
│ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3
├─ curl @ 7.64.0-4+deb10u1
│ └─ curl/libcurl4 @ 7.64.0-4+deb10u1
│ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3
│ ├─ krb5/libgssapi-krb5-2 @ 1.17-3
│ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3
│ │ ├─ krb5/libk5crypto3 @ 1.17-3
│ │ │ └─ krb5/libkrb5support0 @ 1.17-3
│ │ ├─ krb5/libkrb5-3 @ 1.17-3
│ │ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3
│ │ │ ├─ krb5/libk5crypto3 @ 1.17-3
│ │ │ ├─ krb5/libkrb5support0 @ 1.17-3
│ │ │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3
│ │ └─ krb5/libkrb5support0 @ 1.17-3
│ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1
│ │ └─ libunistring/libunistring2 @ 0.9.10-1
│ ├─ krb5/libk5crypto3 @ 1.17-3
│ ├─ krb5/libkrb5-3 @ 1.17-3
│ ├─ openldap/libldap-2.4-2 @ 2.4.47+dfsg-3+deb10u2
│ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4
│ │ │ ├─ nettle/libhogweed4 @ 3.4.1-1
│ │ │ │ └─ nettle/libnettle6 @ 3.4.1-1
│ │ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1
│ │ │ ├─ nettle/libnettle6 @ 3.4.1-1
│ │ │ ├─ p11-kit/libp11-kit0 @ 0.23.15-2
│ │ │ │ └─ libffi/libffi6 @ 3.2.1-9
│ │ │ ├─ libtasn1-6 @ 4.13-3
│ │ │ └─ libunistring/libunistring2 @ 0.9.10-1
│ │ ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-1+deb10u1
│ │ │ └─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-1+deb10u1
│ │ │ └─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.5
│ │ └─ openldap/libldap-common @ 2.4.47+dfsg-3+deb10u2
│ ├─ nghttp2/libnghttp2-14 @ 1.36.0-2+deb10u1
│ ├─ libpsl/libpsl5 @ 0.20.2-2
│ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1
│ │ └─ libunistring/libunistring2 @ 0.9.10-1
│ ├─ rtmpdump/librtmp1 @ 2.4+20151223.gitfa8646d.1-2
│ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4
│ │ ├─ nettle/libhogweed4 @ 3.4.1-1
│ │ └─ nettle/libnettle6 @ 3.4.1-1
│ ├─ libssh2/libssh2-1 @ 1.8.0-2.1
│ │ └─ libgcrypt20 @ 1.8.4-5
│ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3
├─ gnupg2/dirmngr @ 2.2.12-1+deb10u1
...
Organization: docker-desktop-test
Package manager: deb
Project name: docker-image|99138c65ebc7
Docker image: 99138c65ebc7
Licenses: enabled
Tested 200 dependencies for known issues, found 157 issues.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp.
</pre></div> <p>For more information about the vulnerability data, see <a href="https://goto.docker.com/rs/929-FJL-178/images/cheat-sheet-docker-desktop-vulnerability-scanning-CLI.pdf" target="_blank" rel="noopener" class="_">Docker Vulnerability Scanning CLI Cheat Sheet</a>.</p> <h3 id="limiting-the-level-of-vulnerabilities-displayed">Limiting the level of vulnerabilities displayed</h3> <p>Docker scan allows you to choose the level of vulnerabilities displayed in your scan report using the <code class="language-plaintext highlighter-rouge">--severity</code> flag. You can set the severity flag to <code class="language-plaintext highlighter-rouge">low</code>, <code class="language-plaintext highlighter-rouge">medium</code>, or<code class="language-plaintext highlighter-rouge">high</code> depending on the level of vulnerabilities you’d like to see in your report.<br> For example, if you set the severity level as <code class="language-plaintext highlighter-rouge">medium</code>, the scan report displays all vulnerabilities that are classified as medium and high.</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --severity=medium docker-scan:e2e
./bin/docker-scan_darwin_amd64 scan --severity=medium docker-scan:e2e
Testing docker-scan:e2e...
✗ Medium severity vulnerability found in sqlite3/libsqlite3-0
Description: Divide By Zero
Info: https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337
Introduced through: gnupg2/gnupg@2.2.12-1+deb10u1, subversion@1.10.4-1+deb10u1, mercurial@4.8.2-1+deb10u1
From: gnupg2/gnupg@2.2.12-1+deb10u1 > gnupg2/gpg@2.2.12-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
From: subversion@1.10.4-1+deb10u1 > subversion/libsvn1@1.10.4-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
From: mercurial@4.8.2-1+deb10u1 > python-defaults/python@2.7.16-1 > python2.7@2.7.16-2+deb10u1 > python2.7/libpython2.7-stdlib@2.7.16-2+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
✗ Medium severity vulnerability found in sqlite3/libsqlite3-0
Description: Uncontrolled Recursion
...
✗ High severity vulnerability found in binutils/binutils-common
Description: Missing Release of Resource after Effective Lifetime
Info: https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318
Introduced through: gcc-defaults/g++@4:8.3.0-1
From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-common@2.31.1-16
From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/libbinutils@2.31.1-16 > binutils/binutils-common@2.31.1-16
From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-x86-64-linux-gnu@2.31.1-16 > binutils/binutils-common@2.31.1-16
and 4 more...
Organization: docker-desktop-test
Package manager: deb
Project name: docker-image|docker-scan
Docker image: docker-scan:e2e
Platform: linux/amd64
Licenses: enabled
Tested 200 dependencies for known issues, found 37 issues.
</pre></div> <h2 id="provider-authentication">Provider authentication</h2> <p>If you have an existing Snyk account, you can directly use your Snyk <a href="https://app.snyk.io/account" target="_blank" rel="noopener" class="_">API token</a>:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --login --token SNYK_AUTH_TOKEN
Your account has been authenticated. Snyk is now ready to be used.
</pre></div> <p>If you use the <code class="language-plaintext highlighter-rouge">--login</code> flag without any token, you will be redirected to the Snyk website to login.</p> <h2 id="prerequisites">Prerequisites</h2> <p>To run vulnerability scanning on your Docker images, you must meet the following requirements:</p> <ol> <li> <p>Download and install the latest version of Docker Desktop.</p> <ul> <li><a href="https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-amd64">Download for Mac with Intel chip</a></li> <li><a href="https://desktop.docker.com/mac/main/arm64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-arm64">Download for Mac with Apple chip</a></li> <li><a href="https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe">Download for Windows</a></li> </ul> </li> <li> <p>Sign into <a href="https://hub.docker.com" target="_blank" rel="noopener" class="_">Docker Hub</a>.</p> </li> <li> <p>From the Docker Desktop menu, select <strong>Sign in/ Create Docker ID</strong>. Alternatively, open a terminal and run the command <code class="language-plaintext highlighter-rouge">docker login</code>.</p> </li> <li> <p>(Optional) You can create a <a href="https://dockr.ly/3ePqVcp" target="_blank" rel="noopener" class="_">Snyk account</a> for scans, or use the additional monthly free scans provided by Snyk with your Docker Hub account.</p> </li> </ol> <p>Check your installation by running <code class="language-plaintext highlighter-rouge">docker scan --version</code>, it should print the current version of docker scan and the Snyk engine version. For example:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker scan --version
Version: v0.5.0
Git commit: 5a09266
Provider: Snyk (1.432.0)
</pre></div> <blockquote> <p><strong>Note:</strong></p> <p>Docker Scan uses the Snyk binary installed in your environment by default. If this is not available, it uses the Snyk binary embedded in Docker Desktop. The minimum version required for Snyk is <code class="language-plaintext highlighter-rouge">1.385.0</code>.</p> </blockquote> <h2 id="supported-options">Supported options</h2> <p>The high-level <code class="language-plaintext highlighter-rouge">docker scan</code> command scans local images using the image name or the image ID. It supports the following options:</p> <table> <thead> <tr> <th style="text-align: left">Option</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--accept-license</code></td> <td style="text-align: left">Accept the license agreement of the third-party scanning provider</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--dependency-tree</code></td> <td style="text-align: left">Display the dependency tree of the image along with scan results</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--exclude-base</code></td> <td style="text-align: left">Exclude the base image during scanning. This option requires the --file option to be set</td> </tr> <tr> <td style="text-align: left">
<code class="language-plaintext highlighter-rouge">-f</code>, <code class="language-plaintext highlighter-rouge">--file string</code>
</td> <td style="text-align: left">Specify the location of the Dockerfile associated with the image. This option displays a detailed scan result</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--json</code></td> <td style="text-align: left">Display the result of the scan in JSON format</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--login</code></td> <td style="text-align: left">Log into Snyk using an optional token (using the flag --token), or by using a web-based token</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--reject-license</code></td> <td style="text-align: left">Reject the license agreement of the third-party scanning provider</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--severity string</code></td> <td style="text-align: left">Only report vulnerabilities of provided level or higher (low, medium, high)</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--token string</code></td> <td style="text-align: left">Use the authentication token to log into the third-party scanning provider</td> </tr> <tr> <td style="text-align: left"><code class="language-plaintext highlighter-rouge">--version</code></td> <td style="text-align: left">Display the Docker Scan plugin version</td> </tr> </tbody> </table> <h2 id="known-issues">Known issues</h2> <p><strong>WSL 2</strong></p> <ul> <li>The Vulnerability scanning feature doesn’t work with Alpine distributions.</li> <li>If you are using Debian and OpenSUSE distributions, the login process only works with the <code class="language-plaintext highlighter-rouge">--token</code> flag, you won’t be redirected to the Snyk website for authentication.</li> </ul> <h2 id="feedback">Feedback</h2> <p>Your feedback is very important to us. Let us know your feedback by creating an issue in the <a href="https://github.com/docker/scan-cli-plugin/issues/new" target="_blank" rel="noopener" class="_">scan-cli-plugin</a> GitHub repository.</p>
<p><a href="https://docs.docker.com/search/?q=Docker">Docker</a>, <a href="https://docs.docker.com/search/?q=scan">scan</a>, <a href="https://docs.docker.com/search/?q=Snyk">Snyk</a>, <a href="https://docs.docker.com/search/?q=images">images</a>, <a href="https://docs.docker.com/search/?q=local">local</a>, <a href="https://docs.docker.com/search/?q=CVE">CVE</a>, <a href="https://docs.docker.com/search/?q=vulnerability">vulnerability</a>, <a href="https://docs.docker.com/search/?q=security">security</a></p>
<div class="_attribution">
<p class="_attribution-p">
© 2019 Docker, Inc.<br>Licensed under the Apache License, Version 2.0.<br>Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.<br>Docker, Inc. and other parties may also have trademark rights in other terms used herein.<br>
<a href="https://docs.docker.com/engine/scan/" class="_attribution-link">https://docs.docker.com/engine/scan/</a>
</p>
</div>
|
