Vulnerability scanning for Docker Images

By March 14, 2022 No Comments
Vulnerability scanning for Docker Images 1

Security flaws aren’t the same as viruses. It contains a logical or technological defect that leads to a system weakness that can be used to compromise a system. Security flaws can be found in well-intentioned source code. Such flaws may remain undetected in our code for years until they are discovered, either intentionally or by chance.

Docker Images Vulnerability Scanning

Vulnerability scanning for Docker should be a critical component of our Docker security approach. It is a procedure for identifying security flaws in our Docker image files. Creating the container images that will be retrieved and performed in the QA, Stage, and production environments is a critical step in the continuous integration pipeline. Therefore, whether we are creating Docker images from our own source code or from publicly available images, it is critical to analyse and discover any known vulnerabilities in those images. This is referred to as the Docker vulnerability scanning procedure.

How It works

Normally, image scanning works by parsing through the software packages, dependencies, binaries, libraries, and operating system files defined in a container image file. It is then compared to public security vulnerabilities databases to see if any known vulnerabilities exist in those packages or dependencies.

Methodologies used in scanning

Static scanning- Detects vulnerabilities in images before a container is created

Dynamic scanning -Executed in a runtime environment to identify post-build software, binaries, and libraries that create vulnerabilities.

Static vs Dynamic Scanning

Static vs Dynamic Scanning

Open-source scanners to find vulnerabilities in Docker images


It is an open-source software for inspecting and analysing container images. The Anchore engine can be used independently or in conjunction with orchestration technologies like Kubernetes, Amazon ECS, and Docker Swarm.

Anchore features

  • Provides inline scans and deep inspection of container images, OS packages, and software artefacts such as jar files
  • Anchore is also available as Jenkins’s plugins to scan the CI/CD pipeline seamlessly to discover security breaches
  • Customizes scans for vulnerabilities, configuration files, image secrets, exposed ports, and more.

Aqua Security

From development to production, the Aqua Container Security Platform provides a complete, full lifecycle solution for securing containerized applications. It’s a security platform that ensures that apps running on containers are secure and run in a secure environment. It scans tens of thousands of images in a matter of minutes.

Amazon ECR Image scanning

The open-source Clair project’s Common Vulnerabilities and Exposures (CVEs) database is used by Amazon ECR. We can configure ECR repositories to scan on image push or manually scan using basic scanning. In both circumstances, Amazon ECR gives a list of scan results as well as necessary links to resolve the problems.

This feature is provided free of charge by AWS ECR, and it is based on the stated ECR service quota to guarantee that all customers have a fair and reliable scanning experience. This means that for image scanning, we set a throttle of one scan every 24 hours per image, with numerous attempts to scan the same image again during that time period generating a ThrottlingException.

This is how the report will appear

Amazon ECR Image Scan Report

Amazon ECR Image Scan Report

Amazon ECR Image Scan Report


Clair is an open-source project that analyses vulnerabilities in Docker and application containers using static analysis. Based on the Common Vulnerabilities and Exposures database (CVE) and equivalent databases from Red Hat, Ubuntu, and Debian, Clair examines each container layer and delivers a notification about vulnerabilities that may be a threat. Clair is an API-driven analysis engine that looks for known security issues in containers layer by layer.

Clair features

  • Using an API, Clair allows customers to search specific databases for vulnerabilities in images
  • Looks for vulnerabilities that have already been discovered and prevents them from being introduced in the future
  • Offers a REST API for integration with other applications
  • When vulnerability metadata is updated, a notification is issued to alert systems about the change
  • Provides an HTML report with all of the scan’s details.

 How to use Clair to scan Docker image vulnerabilities

As a proof of concept, this Clair tutorial concentrates on local container scanning. Configuring a Postgres database, downloading the Clair image, and setting the Clair configuration are all part of the initial set up.

Clair Engine Architecture

Clair Engine Architecture

Setting up Clair and Postgres

Clair can be used as a single instance or as part of a high-availability cluster. Clair should be executed in several instances if possible. Clair can be installed via Docker, so let’s assume we already have a set up.

Downloading Clair config files.

curl -L -o config.yaml

Downloading the Clair config files




Starting Clair with the config.yaml file.

docker run --net=host -d -p 6060:6060 -p 6061:6061 -v clair_config:/config arminc/clair-local-scan:v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1 -config=/config/config.yaml
Starting Clair with the config yaml

Starting Clair with the config yaml

Clair service logs

Clair service logs






Clair API server runs on TCP:6060 and the Clair health API runs on TCP:6061. To verify, call the health API.

curl -X GET -I http://localhost:6061/health
Clair HealthCheck API

Clair HealthCheck API





Spinning up the Postgres container.

docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
Spinning up the Postgres container

Spinning up the Postgres container







Setting up clairctl

It is a command line tool, used to interact with Clair service

mkdir -p clair/docker-compose-data/clair-configwget --directory-prefix=clair/docker-compose-data/ wget --directory-prefix=clair/clair-config/cd clair/docker-compose-data

Remove Clair and postgres services from docker-compose.yaml file and run only clairctl service.

docker-compose up
Spinning up clairctl container

Here, Docker-compose exec clairctl is used in the Docker environment to execute the following command on Docker container clairctl. The rest of the command stands for the image to test, which in this example is clairctl analyze -l

docker-compose exec clairctl clairctl analyze -l

Here, we are generating vulnerability report for Docker image with clairctl command line tool.

docker-compose exec clairctl clairctl report -l


With the rise of cloud-native technologies like Kubernetes for managing applications in cloud and hybrid environments, security teams must be able to comprehend these concepts fast to build up appropriate guardrails and controls. Docker was created with security in mind, and several of its built-in capabilities can help in the protection of our system. Docker image security scanning isn’t the sole component of a container security strategy, but it is an important one. Other security tools have been partnered with it to better monitor our container environment and detect security issues in open-source code included in a containerization application in ways that image scanners cannot.

Authors’ Bio

Manish Poddar is a result-oriented cloud technology enthusiast with extensive experience in Cloud computing, Container platforms, Container Orchestration, IaC, CI/CD, Monitoring, NoSql DBs etc. He is a Senior DevOps Consultant at Tavisca, a cxLoyalty Technology Platform (Division of JP Morgan Chase & Co).

Manish Poddar

Leave a Reply