Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

This document provides users with a comprehensive overview of scanning a Docker image using HIAB and Outscan RC. This document has been elaborated under the assumption the reader has access to the HIAB Account, and Portal Interface. 

Prerequisites

A Docker account with its credentials to access a private registry.

When scanning a Docker image using Outscan RC, a HIAB deployed as a container inspection scanner is still required. For more information see Use Appsec Scale with OUTSCAN RC

Steps to Scan a Docker Image

  1. Add your private Docker registries to HIAB.
  2. Run a Docker image discovery to retrieve the list of available images.
  3. Run a Docker image assessment (Docker scan) on a selected image to get the vulnerability assessment.

Note

Docker scan capability can be enabled/disabled on your HIAB. Contact Outpost24 Support for more information.

Configure Docker Registry Credentials

To navigate to this section, 

  1. Log in to HIAB/Outscan.
  2. Go to Main Menu > Portal.
  3. Click the Account icon in the upper right corner.
  4. Click Credentials.
  5. Click on Add Credentials and select Docker from the drop-down.

    Fill the required information.

    OptionDescription
    NameThe name of the credentials. It helps you to identify it among the other credentials configured on your HIAB.
    Docker Registry (URL)

    Enter here the url to your private docker registry.
    Eg: 'https://docker.hub.local'.

    UsernameEnter the user name required to login to your private docker registry.
    PasswordEnter the password required to grant access to your private docker registry.

    Note

    Add the port number to Docker Registry URL when it is different from the SSL default number, 443. If the SSL port is set to 8443, then enter 'https://docker.hub.local:8443'.
  6. If your private registry uses a server certificate that is signed by a trusted authority, then click on ADD to save your docker credential. 
    If your private registry uses a self-signed certificate, it shall be uploaded to HIAB and click on ADD to save your docker credential. 

    Note

    Only PEM format is supported. It should start with ----BEGIN CERTIFICATE---- marker.

Run a Docker Image Discovery Scan

A docker registry discovery function retrieves images information from a private docker registry such as name, OS, architecture, size.

Note

  1. Prior to running a docker discovery, make sure you have created the docker credentials.
  2. The discovery will only find docker image with latest tag to limit number of docker images and improve visibility.

To perform a docker discovery,

  1. Go to Toolbar, expand Configurations and select Scan Configurations.
  2. Select Docker image discovery, fill the required information and choose the scanner.



  3. Click on ADD to save the newly created configuration.
  4. Select the scan configuration and click on Scan Now to run a Docker image discovery scan.



  5. View the scan status under Toolbar/ Scans.
  6. View discovered assets, docker images under Assets as the list of assets with 'source' set to Cloudsec and type set to Docker Image.

Run a Docker Image Assessment Scan

HIAB and Outscan RC supports a Docker image scan. You can scan a docker image if you have done a docker discovery to retrieve the images available on your private docker registries. 

Note

Currently, it is only possible to scan image that are less than 1GB and type of Linux and with a 64 bit architecture.

Follow the below procedure to scan a docker:

  1. Create a Docker image assessment scan configuration. Select Docker image assessment under Assessment then select the docker credential you want to scan.


  2. On Docker credentials selection, a table is displayed with all the discovered images. The details of an image such as name, OS, Architecture and Size.
  3. Select one or more images and click on ADD to save the scan configuration. You may change the name of the scan configuration by editing it.



  4. Click on Scan Now to run the Docker image assessment scan.


  5. View the scan status under Scans.

    Note

    Click on Scans on the Toolbar to view all scans performed on HIAB with the status starting 'QUEUED, STARTING, RUNNING, FINISHED'.
  6. To view the vulnerability set of the scanned image, click on Findings, and select Vulnerabilities.



By default all docker image vulnerabilities are displayed. You can filter the result by selecting All, No or Yes respectively.

  • All: view all vulnerabilities
  • No: excluding any potential vulnerabilities
  • Yes: view only potential vulnerabilities without fix

To display the Potential item in the column, select it from the item list and check the corresponding box. 


The potential vulnerabilities are marked in the potential column with a green dot.
Then you can select within the potential column the option you want.