Scan a Docker Image

Purpose

This document provides users with a comprehensive overview of scanning a Docker image using HIAB and Outscan RC. This document has been elaborated under the assumption the reader has access to the HIAB Account, and Portal Interface. 

Introduction

A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.

Requirements

A Docker account with its credentials to access a private registry.

When scanning a Docker image using OUTSCAN RC, a HIAB deployed as a container inspection scanner is still required. For more information see Use Appsec Scale with OUTSCAN RC

Steps to Scan a Docker Image

1. Add your private Docker registries to HIAB.
2. Run a Docker image discovery to retrieve the list of available images.
3. Run a Docker image assessment (Docker scan) on a selected image to get the vulnerability assessment.

Note

Docker scan capability can be enabled/disabled on your HIAB. Contact Outpost24 Support for more information.

Configure Docker Registry Credentials

1. In the drop-down menu select Docker.
   
   

   

2. Enter a Name of the credentials.
   

3. Enter a Docker Registry (URL) to your Docker Registry. 

   

   Add the port number to Docker Registry URL when it is different from the SSL default number, 443. If the SSL port is set to 8443, then enter 'https://docker.example.local:8443'.

   
   

4. Enter a Username required to login to your Docker Registry.

5. Enter a Password required to grant access to your Docker Registry.

6. Click the blue UPLOAD CERTIFICATE, REQUIRED WHEN SELF-SIGNED (CERT) button to select a certificate file.

   

   Only PEM format is supported. It should start with ----BEGIN CERTIFICATE---- marker.

7. If your private registry uses a server certificate that is signed by a trusted authority, then click on ADD to save your Docker credential. 
   If your private registry uses a self-signed certificate, it shall be uploaded to HIAB and click on ADD to save your Docker credential. 
   

   

Run a Docker Image Discovery Scan

A Docker Registry discovery function retrieves images information from a private Docker Registry such as name, OS, architecture and size.

Note

1. Prior to running a Docker discovery, make sure you have created the Docker credentials.
2. The discovery will only find Docker image with latest tag to limit number of Docker images and improve visibility.

To perform a Docker discovery,

1. Go to Toolbar, expand Configurations and select Scan Configurations.
2. Select Docker image discovery, fill the required information and choose the scanner.
   
   

   

   
   
   
3. Click on ADD to save the newly created configuration.
4. Select the scan configuration and click on Scan Now to run a Docker image discovery scan.
   
   

   

   
   
   
5. View the scan status under Toolbar/ Scans.
6. View discovered assets, Docker images under Assets as the list of assets with 'source' set to Cloudsec and type set to Docker Image.
   
   

   

Run a Docker Image Assessment Scan

HIAB and OUTSCAN RC supports a Docker image scan. You can scan a Docker image if you have done a Docker discovery to retrieve the images available on your private Docker Registries. 

Note

Currently, it is only possible to scan image that are less than 1GB and type of Linux and with a 64 bit architecture.

Follow the below procedure to scan Docker images:

1. Create a Docker image assessment scan configuration. Select Docker image assessment under Assessment then select the Docker credential you want to scan.
   

   

   
   
   
2. On Docker credentials selection, a table is displayed with all the discovered images and the details of an image such as name, OS, architecture and size.
3. Select one or more images and click on ADD to save the scan configuration. The name of the scan configuration can be changed by editing it.
   
   

   

   
   
   
4. Click on Scan Now to run the Docker image assessment scan.
   

   

   
   
   

5. View the scan status under Scans.

   

   Note

   Click on Scans on the Toolbar to view all scans performed on HIAB with the status starting 'QUEUED, STARTING, RUNNING, FINISHED'.

6. To view the vulnerability set of the scanned image, click on Findings, and select Vulnerabilities.
   
   

   

   
   

By default all Docker image vulnerabilities are displayed. You can filter the result by selecting All, No or Yes respectively.

• All: view all vulnerabilities
• No: excluding any potential vulnerabilities
• Yes: view only potential vulnerabilities without fix

To display the Potential item in the column, select it from the item list and check the corresponding box. 

The potential vulnerabilities are marked in the potential column with a green dot.
Then you can select within the potential column the option you want.

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}