Want to try it for yourself?
Building a Strong Container Security Foundation
What is Container Scanning?
Container scanning, or container image scanning, is the process and scanning tools used to identify vulnerabilities within containers and their components. It’s key to container security, and enables developers and cybersecurity teams to fix security threats in containerized applications before deployment.
Containerized deployments are growing in popularity – and for good reason. Containers enable developers to move more quickly and to reliably deploy applications by transforming them into self-contained and portable units of code. However, the adoption of container-based software means the responsibility for container security is shifting to developers as well. Container scanning is an efficient way for developers to ensure their containers are secure.
Let’s take a closer look at the basics of container scanning and how automated container scanners work. We’ll also discuss the types of vulnerabilities container scanners can detect and how image layers impact container security.
Container scanning basics
Vulnerabilities can be introduced to containers in a number of ways: from the software inside the container, how the container interacts with the host operating system and adjacent containers, the configurations for networking and storage, and more. A container scanner is an automated tool that analyzes these various container components to detect security vulnerabilities.
Besides vulnerabilities introduced directly by the code and tool you add to an image, issues can originate from other images that your containers rely on. These other images are called parent images or base images (though “parent” is technically more correct). In fact, your container image may be based on a publicly available image that contains known vulnerabilities and malware, especially if you didn’t download the image from a verified publisher and authenticate the image publisher and contents. Even images from well known and trusted providers often have vulnerabilities, but by scanning for vulnerabilities in your image, and identifying your parent images and their vulnerabilities, you can often remediate a large number of issues with a single change.
Security scanners can be integrated during various stages of development. For example, you can scan potential parent images from your desktop before deciding which one to use as the base for your image. Some tools and IDE plugins will scan Dockerfiles and indicate alternative images you could select that have fewer vulnerabilities or are slimmer in size. Many organizations integrate container vulnerability scanning into the continuous integration and continuous delivery (CI/CD) pipelines, which is where the “real” images are often built prior to deployment. Scanning in your pipelines allows you to prevent container images with too many issues from being stored in your registries and from reaching production. Most teams also monitor containerized deployments when they’re running on Kubernetes or another platform. Container security scanning, therefore, can dramatically improve the security of an application without a lot of additional effort by developers.
Scanning container registries is also a great way to reduce the number of vulnerabilities across all of the frequently used images in your organization. For example, Snyk’s integration with Docker Hub creates a trusted source of public images that developers can use as a base for the containers they create. You can also monitor your stored images over time, to identify any newly disclosed vulnerabilities in your existing images and prevent those from being deployed to production in the future. Plus, you likely have several older images that do not change often, or images from third parties that are stored in your container registry. These images won’t pass through your CI/CD pipelines, so scanning them from the registry is a good way to determine whether those images are safe to use or not. A registry scanner, therefore, can give developers confidence in the images they use for containerized deployments.
What kinds of Container Vulnerabilities can be detected?
As mentioned before, there are a variety of ways that vulnerabilities can be introduced into a container. These container vulnerabilities can range from insecure application code and runtime misconfigurations to network threats and access control issues. Protecting against these threats requires continuous container monitoring and up-to-date knowledge of new vulnerabilities as they’re discovered.
Most container scanning solutions leverage a public source for vulnerability information like the National Vulnerability Database (NVD) or the Common Vulnerabilities & Exposures (CVE) database. These databases publish known exploits to enable automated vulnerability management, security measurement, and compliance.
The Snyk security research team enriches container vulnerability data with information that makes it easier to prioritize what can seem like an overwhelming number of container vulnerabilities. Factors like whether the container is running in a Kubernetes cluster, and if so, how it’s configured; the availability of a mature exploit; social media chatter; and Linux distribution specific vulnerability details are all factors Snyk Container surfaces to make it easy to determine which issues are the most important to take care of.
How container layers impact vulnerability detection
Containers are building blocks for modern applications, and one advantage of using containers is that you can build upon the work of others. Docker made this easy for developers and made it easy to share containers images via Docker Hub. Docker also supplies its own Docker Official Images that cover a wide range of language and frameworks and other application services. As you build up your own images on top of the work of others, your containers end up with multiple read-only layers, and one final read/write layer.
Each new layer has the risk of introducing new vulnerabilities into the container, so it’s crucial that the container scanner you use can detect issues layer by layer. It’s even better if they relate those layers back to the commands or Dockerfile instruction that created them, since that’s a more familiar place for developers to make a change. Furthermore, since images are almost always built on top of other images (via the FROM command in a Dockerfile, for example) a container vulnerability scanner like Snyk Container that can determine that certain layers are actually a Docker Official Image and intelligently provide alternatives that reduce vulnerabilities, is even better than just providing the raw layers. More layers in a container usually correlates to more packages being installed in a container, and since more packages also correlates with more vulnerabilities and therefore, more risk, it’s also a best practice to use the slimmest images possible to meet your application needs.
Developer-first container security
Snyk finds and automatically fixes vulnerabilities in container images and Kubernetes workloads.
Comprehensive Container security
Since containers are made up of multiple layers, comprehensive security requires scanning for vulnerabilities in custom code, open source dependencies, containers, and Dockerfiles themselves, and in some cases, infrastructure as code (IaC) files. These are the components of modern cloud native applications, so they’re key areas to consider when building a secure development workflow.
Snyk offers a comprehensive set of security scanning tools for cloud native applications, ensuring development teams can easily find and fix vulnerabilities early in the development process. Snyk integrates seamlessly into existing development workflows to reduce friction when rolling out the new security process to development teams. This enables organizations to shift security left and implement security measures for their containers and applications from the beginning.
More specifically, Snyk Container can not only scan your containers, but also the Dockerfiles themselves to match vulnerabilities to the commands that introduced them and to provide recommendations and even pull requests to use parent images with fewer vulnerabilities. This in-depth context of security issues helps developers prioritize remediation based on exploitability to immediately improve the security posture of containers and applications, with the fewest changes possible.
Container Scanning FAQs
How does Container scanning work?
Scanning containers for vulnerabilities usually involves a security tool that analyzes a container image layer by layer to detect potential security issues. Most scanning solutions leverage a database of known vulnerabilities so that organizations can stay up-to-date as the security threat landscape evolves. Containerized applications also consist of multiple components, including custom code, open source dependencies, images, Dockerfiles, and more. Scanning for vulnerabilities across all of these components is critical for comprehensive container security.
Up Next
Docker Security - Challenges & Best Practice
Docker security is the practice of protecting containers, applications, host systems, and anything else related to Docker. Learn more with our full guide.
Keep reading