Enable image vulnerability scanning

docker

Classification:

compliance

Framework:

cis-docker

Control:

8.2.1

Set up the docker integration.

Description

It is important to ensure that your Docker images are free from vulnerabilities. The Docker Trusted Registry (DTR) includes image vulnerability scanning which can check any packages included in your image against known vulnerability databases. This capability should be enabled to satisfy this recommendation.

Rationale

Running Docker containers based on images with known vulnerabilities exposes your organization to a greater level of risk. The vulnerability scanning service included with DTR can check the signature of any packages included in your image’s layers against both the MITRE Common Vulnerabilities and Exposures (CVE) database and NIST National Vulnerability Database (NVD). Docker Inc. maintains a security scanning database which is an aggregation of the MITRE CVE and NIST NVD data that can be read by DTR. DTR’s vulnerability scanning capability can operate in online mode, where it connects directly to Docker’s database at https://dss-cve-updates.docker.com/. It can also operate in offline mode, where the user must download a .tar file that contains the aggregated database that DTR can read. Docker Inc. updates this database on a daily basis.

Audit

The “Security” tab in the DTR “Settings” UI can be used to verify image scanning has been enabled, along with information regarding the synchronization status of the vulnerability database. The Image Scanning configuration can also be retrieved by executing an HTTP GET request to the DTR API using the cURL command:

$ curl -X GET "https://<YOUR_DTR_URL>/api/v0/imagescan/status" -H "accept: application/json"

Remediation

You can navigate to DTR “Settings” UI and select the “Security” tab to access the image scanning configuration. Select the “Enable Scanning” slider to enable this functionality. You can also enable the Image Scanning capability via the DTR API using the cURL command as follows: $ curl -X POST "https://<YOUR_DTR_URL>/api/v0/meta/settings" -H "accept: application/json" -H "content-type: application/json" -d "{ \"scanningEnabled\": true}"

Impact

None

Default value

The image scanning feature is disabled by default.

References

  1. https://docs.docker.com/ee/dtr/admin/configure/set-up-vulnerability-scans/
  2. https://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices#dtrsecurity

CIS controls

None