Skip to Content

Scanning your Docker containers for vulnerabilities

Automatically scan the Docker images in your Google Cloud Repository for known vulnerabilities

Posted on 3 mins read

Security is critical for your applications. When using containers, how do you ensure that you reduce the attack surface area? How to be sure that your OS and packages are recent enough and not affected by uncovered vulnerabilities?

Well, if you store your container imagines on Google Cloud Registry, you’ll be happy to learn about this alpha feature: Google Container Registry Vulnerability Scanning. The Container Analysis API supports package vulnerability scanning for images based on Ubuntu, Debian, and Alpine.

Let’s setup the stage

For the purpose of this tip, I created a small container image for running an Apache Groovy script simply printing hello world:

FROM groovy:alpine
ADD hello.groovy ./
CMD ["groovy", "hello.groovy"]

I’ve built my image:

$ docker build . -t hello
Sending build context to Docker daemon  3.072kB
Step 1/3 : FROM groovy:alpine
alpine: Pulling from library/groovy
2fdfe1cd78c2: Pull complete 
82630fd6e5ba: Pull complete 
119d364c885d: Pull complete 
287ef2aa8ecb: Pull complete 
fe31a0044ad1: Pull complete 
Digest: sha256:60fc6fdb148c2a5c48989d384e56d19bd288151b6d82770bb2f7d42674b9da0f
Status: Downloaded newer image for groovy:alpine
 ---> 34ce9830b507
Step 2/3 : ADD hello.groovy ./
 ---> 96a805f80806
Step 3/3 : CMD groovy hello.groovy
 ---> Running in 78040114c799
 ---> 467a80cf4614
Removing intermediate container 78040114c799
Successfully built 467a80cf4614
Successfully tagged hello:latest

And tagged it:

$ docker tag hello

Just to be sure all was fine, I double checked my message was properly printed:

$ docker run -it hello
Hello Groovy world!

I enabled the Container Registry API:

Enabling the Container Registry API

I pushed my image to the registry:

$ gcloud docker -- push
The push refers to a repository []
3e84e885bf33: Pushed 
baeea7770e60: Pushed 
e2468806cd9c: Pushed 
25baa3ba1903: Pushed 
5b1e27e74327: Pushed 
04a094fe844e: Pushed 
latest: digest: sha256:0ed6cbc3ec3e3ef6a25ffd4f82c8092ff8ee994f4be89dcbe89fbd33cc842860 size: 1573

Now my image is in Container Registry:

Checking the container image is uploaded

Enabling vulnerability scanning

Note: Since it’s still an alpha service, you’ll have to be whitelisted to be able to enable the API. You can activate the Container Analysis API only if your email address is whitelisted for using this API. If you’re interested in trying this new feature, please join the Container Analysis Users group to be enrolled.

First, we must enable to Container Analysis API, by visiting this URL, and select our Google Cloud project:

Enabling the Container Analysis API

Then go to the GCR settings page, enable the vulnerability scanning feature:

Enabling vulnerability scanning from the GCR settings page

After a little while, when the scanner goes through your container images, you should see that it ran its analysis:

List of container images checked

If you click on the vulnerability summary, you’ll be able to see the detailed report (in my case, I’m happy, no vulnerabilities were found):

Detailed vulnerability report

More information

The tip was inspired from an article from David Gageot on scanning vulnerabilities in Docker images, which also shows some screenshots of reports for container images containing vulnerabilities.

Also, read more about this new alpha feature: Google Container Registry Vulnerability Scanning

comments powered by Disqus