스캔 이미지 도커 스캔
ใช้ได้เฉพาะ Docker Desktop for Mac and Docker Desktop for Windows เท่านั้น
❯ docker version
Client:
Cloud integration: 1.0.14
Version: 20.10.6
[...]
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
[...]
docker-init:
Version: 0.19.0
GitCommit: de40ad0
❯ docker scan --version
Version: v0.8.0
Git commit: 35651ca
Provider: Snyk (1.563.0)
컨테이너 이미지 스캔
>>>>> ในกรณีที่ไม่พบช่องโหว่ใน Container Image. <<<<<
❯ docker scan redhat/ubi8-micro
Testing redhat/ubi8-micro...
Organization: damrongsak
Package manager: rpm
Project name: docker-image|redhat/ubi8-micro
Docker image: redhat/ubi8-micro
Platform: linux/amd64
Licenses: enabled
✓ Tested 18 dependencies for known issues, no vulnerable paths found.
>>>>> ในกรณีที่พบช่องโหว่ใน Container Image <<<<<
❯ docker scan centos
Testing centos...
✗ Low severity vulnerability found in libdb-utils
Description: RHSA-2021:1675
Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDBUTILS-1294335
Introduced through: [email protected]
From: [email protected]
Fixed in: 0:5.3.28-40.el8
✗ Low severity vulnerability found in libdb
Description: RHSA-2021:1675
Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDB-1294336
Introduced through: [email protected]
From: [email protected]
Fixed in: 0:5.3.28-40.el8
[...]
Tested 172 dependencies for known vulnerabilities, found 28 vulnerabilities.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
ใช้ 옵션 --json แสดงผล การ 스캔 ในรูปแบบของ JSON
ผลการ scan ที่ได้จะมีรายละเอียดของข้อมูลที่มากกว่า การแสดงผลแบบที่ไม่ใช้ --json
❯ docker scan --json centos
"vulnerabilities": [
{
"title": "RHSA-2021:1679",
"credit": [
""
],
"packageName": "bash",
"language": "linux",
"packageManager": "centos:8",
"description": "## NVD Description\n<i> **Note:** </i>\n<i> Versions mentioned in the description apply to the upstream `bash` package. </i>\n<i> See `Remediation` section below for `Centos:8` relevant versions. </i>\n\nThe bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * bash: when effective UID is not equal to its real UID the saved UID is not dropped (CVE-2019-18276) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.\n## Remediation\nUpgrade `Centos:8` `bash` to version 0:4.4.19-14.el8 or higher.\n## References\n- [ADVISORY](https://access.redhat.com/errata/RHSA-2021:1679)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"RHSA-2021:1679"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": null,
"CVSSv3": null,
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2021:1679"
}
],
"creationTime": "2021-05-19T08:11:21.843115Z",
"modificationTime": "2021-05-19T08:11:21.853372Z",
"publicationTime": "2021-05-19T08:11:21.860359Z",
"disclosureTime": null,
"id": "SNYK-CENTOS8-BASH-1294125",
"nvdSeverity": "low",
"relativeImportance": null,
"semver": {
"vulnerable": [
"<0:4.4.19-14.el8"
]
},
"exploit": "No Data",
"from": [
"docker-image|centos@latest",
"[email protected]"
],
"upgradePath": [
false,
"bash@0:4.4.19-14.el8"
],
"isUpgradable": true,
"isPatchable": false,
"name": "bash",
"version": "4.4.19-12.el8",
"nearestFixedInVersion": "0:4.4.19-14.el8"
},
[...]
"packageManager": "rpm",
"ignoreSettings": null,
"docker": {},
"summary": "28 vulnerable dependency paths",
"filesystemPolicy": false,
"filtered": {
"ignore": [],
"patch": []
},
"uniqueCount": 28,
"projectName": "docker-image|centos",
"platform": "linux/amd64",
"path": "centos"
}
추가 옵션 --dependency-tree 컨테이너 이미지에서 의존성 트리 추가
❯ docker scan --dependency-tree redhat/ubi8-micro
docker-image|redhat/ubi8-micro @ latest
├─ basesystem @ 11-5.el8
├─ bash @ 4.4.20-1.el8_4
├─ coreutils-single @ 8.30-8.el8
├─ filesystem @ 3.8-3.el8
├─ glibc @ 2.28-151.el8
├─ glibc-common @ 2.28-151.el8
├─ glibc-minimal-langpack @ 2.28-151.el8
├─ libacl @ 2.2.53-1.el8
├─ libattr @ 2.4.48-3.el8
├─ libcap @ 2.26-4.el8
├─ libselinux @ 2.9-5.el8
├─ libsepol @ 2.9-2.el8
├─ ncurses-base @ 6.1-7.20180224.el8
├─ ncurses-libs @ 6.1-7.20180224.el8
├─ pcre2 @ 10.32-2.el8
├─ redhat-release @ 8.4-0.6.el8
├─ setup @ 2.12.2-6.el8
└─ tzdata @ 2021a-1.el8
Testing redhat/ubi8-micro...
Organization: damrongsak
Package manager: rpm
Project name: docker-image|redhat/ubi8-micro
Docker image: redhat/ubi8-micro
Platform: linux/amd64
Licenses: enabled
✓ Tested 18 dependencies for known issues, no vulnerable paths found.
เพิ่ม 옵션 -세력 เพื่อ เพื่อ กำหนด กำหนด ให้ แสดง ผล เฉพาะ กลุ่ม ของ ของ 심각도 ที่ ต้องการ ต้องการ เท่า นั้น ซึ่ง สามารถ ได้ 3 ระดับ 3 ระดับ 하위, 중간 และ 높이
❯ docker scan --severity=high centos
Testing centos...
✗ High severity vulnerability found in openssl-libs
Description: RHSA-2020:5476
Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1052541
Introduced through: openssl-libs@1:1.1.1g-11.el8
From: openssl-libs@1:1.1.1g-11.el8
Fixed in: 1:1.1.1g-12.el8_3
✗ High severity vulnerability found in openssl-libs
Description: RHSA-2021:1024
Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1089748
Introduced through: openssl-libs@1:1.1.1g-11.el8
From: openssl-libs@1:1.1.1g-11.el8
Fixed in: 1:1.1.1g-15.el8_3
✗ High severity vulnerability found in nettle
Description: RHSA-2021:1206
Info: https://snyk.io/vuln/SNYK-CENTOS8-NETTLE-1287634
Introduced through: [email protected]
From: [email protected]
Fixed in: 0:3.4.1-4.el8_3
✗ High severity vulnerability found in gnutls
Description: RHSA-2021:1206
Info: https://snyk.io/vuln/SNYK-CENTOS8-GNUTLS-1287630
Introduced through: [email protected]
From: [email protected]
Fixed in: 0:3.6.14-8.el8_3
✗ High severity vulnerability found in bind-export-libs
Description: RHSA-2021:0670
Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1081045
Introduced through: bind-export-libs@32:9.11.20-5.el8
From: bind-export-libs@32:9.11.20-5.el8
Fixed in: 32:9.11.20-5.el8_3.1
✗ High severity vulnerability found in bind-export-libs
Description: RHSA-2021:1989
Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1294046
Introduced through: bind-export-libs@32:9.11.20-5.el8
From: bind-export-libs@32:9.11.20-5.el8
Fixed in: 32:9.11.26-4.el8_4
Organization: damrongsak
Package manager: rpm
Project name: docker-image|centos
Docker image: centos
Platform: linux/amd64
Licenses: enabled
Tested 172 dependencies for known issues, found 6 issues.
ข้อจำกัดที่ต้องรู้
ถ้า 스캔 ไม่ ไม่ โดย ได้ 로그인 กับ Snyk จะ 스캔 ได้ ได้ เพียง 10 ครั้ง ต่อ ต่อ เดือน เท่า นั้น หาก ต้องการ ใช้ ต้อง 로그인 กับ Snyk ด้วย คำ สั่ง สั่ง
docker scan --login
❯ docker scan IMAGE
You have reached the scan limit of 10 monthly scans without authentication.
For additional monthly scans, sign into or sign up for Snyk for free with the following command:
`docker scan --login`
로그인 ที่ snyk.io ด้วย Docker ID พอ 로그인 สำเร็จ Snyk จะอนุญาตให้เรา 스캔 ได้ 200 คร้งต่อเดืือน
❯ docker scan --login
Now redirecting you to our auth page, go ahead and log in,
and once the auth is complete, return to this prompt and you'll
be ready to start using snyk.
If you can't wait use this url:
https://snyk.io/login?token= [...]
Your account has been authenticated. Snyk is now ready to be used.
멀스
ㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏㅏ 2
도커 스캔 2...
담롱삭 리타논 ・ 6월 2일 ・ 2분 읽기
#docker
#devsecops
Reference
이 문제에 관하여(스캔 이미지 도커 스캔), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/rdamrong/scan-image-docker-scan-22f6텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)