This document provides users with a comprehensive overview of scanning a Docker image using HIAB and Outscan RC. This document has been elaborated under the assumption the reader has access to the HIAB Account, and Portal Interface.
A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.
A Docker account with its credentials to access a private registry.
When scanning a Docker image using OUTSCAN RC, a HIAB deployed as a container inspection scanner is still required. For more information see Use Appsec Scale with OUTSCAN RC
Steps to Scan a Docker Image
- Add your private Docker registries to HIAB.
- Run a Docker image discovery to retrieve the list of available images.
- Run a Docker image assessment (Docker scan) on a selected image to get the vulnerability assessment.
Docker scan capability can be enabled/disabled on your HIAB. Contact Outpost24 Support for more information.
Configure Docker Registry Credentials
To navigate to this section,
- Log in to HIAB/OUTSCAN.
- Go to Main Menu > Portal.
- Click the Account icon in the upper right corner.
- Click Credentials.
- Click on Add Credentials and select Docker from the drop-down.
Fill the required information.
Option Description Name The name of the credentials. It helps you to identify it among the other credentials configured on your HIAB. Docker Registry (URL)
Enter here the url to your private Docker Registry.
Username Enter the user name required to login to your private Docker Registry. Password Enter the password required to grant access to your private Docker Registry.
If your private registry uses a server certificate that is signed by a trusted authority, then click on ADD to save your Docker credential.
If your private registry uses a self-signed certificate, it shall be uploaded to HIAB and click on ADD to save your Docker credential.
Only PEM format is supported. It should start with ----BEGIN CERTIFICATE---- marker.
Run a Docker Image Discovery Scan
A Docker Registry discovery function retrieves images information from a private Docker Registry such as name, OS, architecture and size.
- Prior to running a Docker discovery, make sure you have created the Docker credentials.
- The discovery will only find Docker image with latest tag to limit number of Docker images and improve visibility.
To perform a Docker discovery,
- Go to Toolbar, expand Configurations and select Scan Configurations.
- Select Docker image discovery, fill the required information and choose the scanner.
- Click on ADD to save the newly created configuration.
- Select the scan configuration and click on Scan Now to run a Docker image discovery scan.
- View the scan status under Toolbar/ Scans.
- View discovered assets, Docker images under Assets as the list of assets with 'source' set to Cloudsec and type set to Docker Image.
Run a Docker Image Assessment Scan
HIAB and OUTSCAN RC supports a Docker image scan. You can scan a Docker image if you have done a Docker discovery to retrieve the images available on your private Docker Registries.
NoteCurrently, it is only possible to scan image that are less than 1GB and type of Linux and with a 64 bit architecture.
Follow the below procedure to scan Docker images:
- Create a Docker image assessment scan configuration. Select Docker image assessment under Assessment then select the Docker credential you want to scan.
- On Docker credentials selection, a table is displayed with all the discovered images such as name, OS, architecture, and size.
- Select one or more images and click on ADD to save the scan configuration. The name of the scan configuration can be changed by editing it.
- Click on Scan Now to run the Docker image assessment scan.
View the scan status under Scans.
NoteClick on Scans on the Toolbar to view all scans performed on HIAB with the status starting 'QUEUED, STARTING, RUNNING, FINISHED'.
To view the vulnerability set of the scanned image, click on Findings, and select Vulnerabilities.
By default all Docker image vulnerabilities are displayed. You can filter the result by selecting All, No or Yes respectively.
- All: view all vulnerabilities
- No: excluding any potential vulnerabilities
- Yes: view only potential vulnerabilities without fix
To display the Potential item in the column, select it from the item list and check the corresponding box.
The potential vulnerabilities are marked in the potential column with a green dot.
Then you can select within the potential column the option you want.
© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.