Vulnerability scanning for Docker images — Part1
Published in
7 min readJan 18, 2022
In my previous blog Automate docker security audits with docker bench for security, we learned about how to automate Docker Security Audits with Docker Bench for Security.
But, remember that Docker Bench isn’t an exhaustive test. There are other aspects to maintaining Docker security that shouldn’t be overlooked either.
A compromised container could give attackers a foothold into your systems, even if you have strong host-level security. You can reduce this risk by using Docker Bench, alongside active container vulnerability scanners like Docker scan (snyk), Grype, Trivy and Clair. These will help you identify problems within your containers, such as outdated dependencies that could be exploited.
Vulnerability scanning for Docker local images using ‘docker scan’
Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.
macpro$ docker scan --accept-license --version
Version: v0.16.0
Git commit: e135637
Provider: Snyk (1.809.0)macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12Testing postgres:12...✗ Low severity vulnerability found in tar
Description: CVE-2005-2541
Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
Introduced through: meta-common-packages@meta
From: meta-common-packages@meta > tar@1.34+dfsg-1✗ Low severity vulnerability found in systemd/libsystemd0
Description: Authentication Bypass
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-1291054
Introduced through: postgresql-12@12.9-1.pgdg110+1, util-linux/bsdutils@1:2.36.1-8, util-linux/mount@2.36.1-8
From: postgresql-12@12.9-1.pgdg110+1 > systemd/libsystemd0@247.3-6
From: util-linux/bsdutils@1:2.36.1-8 > systemd/libsystemd0@247.3-6
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > systemd/libsystemd0@247.3-6
and 4 more...✗ Low severity vulnerability found in systemd/libsystemd0
Description: CVE-2021-3997
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-2332025
Introduced through: postgresql-12@12.9-1.pgdg110+1, util-linux/bsdutils@1:2.36.1-8, util-linux/mount@2.36.1-8
From: postgresql-12@12.9-1.pgdg110+1 > systemd/libsystemd0@247.3-6
From: util-linux/bsdutils@1:2.36.1-8 > systemd/libsystemd0@247.3-6
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > systemd/libsystemd0@247.3-6
and 4 more...✗ Low severity vulnerability found in systemd/libsystemd0
Description: Link Following
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-524969
Introduced through: postgresql-12@12.9-1.pgdg110+1, util-linux/bsdutils@1:2.36.1-8, util-linux/mount@2.36.1-8
From: postgresql-12@12.9-1.pgdg110+1 > systemd/libsystemd0@247.3-6
From: util-linux/bsdutils@1:2.36.1-8 > systemd/libsystemd0@247.3-6
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > systemd/libsystemd0@247.3-6
and 4 more.✗ Low severity vulnerability found in sqlite3/libsqlite3-0
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-1569419
Introduced through: gnupg2/gnupg@2.2.27-2
From: gnupg2/gnupg@2.2.27-2 > gnupg2/gpg@2.2.27-2 > sqlite3/libsqlite3-0@3.34.1-3✗ Low severity vulnerability found in shadow/passwd
Description: Access Restriction Bypass
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SHADOW-526940
Introduced through: gnupg2/dirmngr@2.2.27-2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
From: shadow/login@1:4.8.1-1
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > shadow/login@1:4.8.1-1✗ Low severity vulnerability found in shadow/passwd
Description: Time-of-check Time-of-use (TOCTOU)
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SHADOW-528840
Introduced through: gnupg2/dirmngr@2.2.27-2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
From: shadow/login@1:4.8.1-1
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > shadow/login@1:4.8.1-1✗ Low severity vulnerability found in shadow/passwd
Description: Incorrect Permission Assignment for Critical Resource
Info: https://snyk.io/vuln/SNYK-DEBIAN11-SHADOW-539870
Introduced through: gnupg2/dirmngr@2.2.27-2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
From: shadow/login@1:4.8.1-1
From: util-linux/mount@2.36.1-8 > util-linux@2.36.1-8 > shadow/login@1:4.8.1-1✗ Low severity vulnerability found in perl/perl-base
Description: Link Following
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-532614
Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
From: perl/libperl5.32@5.32.1-4+deb11u2
From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
and 4 more.✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-523392
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-525075
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13✗ Low severity vulnerability found in pcre3/libpcre3
Description: Uncontrolled Recursion
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529298
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13✗ Low severity vulnerability found in openssl/libssl1.1
Description: Cryptographic Issues
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-518334
Introduced through: postgresql-12@12.9-1.pgdg110+1, gnupg2/dirmngr@2.2.27-2
From: postgresql-12@12.9-1.pgdg110+1 > openssl/libssl1.1@1.1.1k-1+deb11u1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openssl/libssl1.1@1.1.1k-1+deb11u1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-common@232.pgdg110+1 > ssl-cert@1.1.0+nmu1 > openssl@1.1.1k-1+deb11u1 > openssl/libssl1.1@1.1.1k-1+deb11u1
and 2 more.✗ Low severity vulnerability found in openssl/libssl1.1
Description: Cryptographic Issues
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-525332
Introduced through: postgresql-12@12.9-1.pgdg110+1, gnupg2/dirmngr@2.2.27-2
From: postgresql-12@12.9-1.pgdg110+1 > openssl/libssl1.1@1.1.1k-1+deb11u1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openssl/libssl1.1@1.1.1k-1+deb11u1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-common@232.pgdg110+1 > ssl-cert@1.1.0+nmu1 > openssl@1.1.1k-1+deb11u1 > openssl/libssl1.1@1.1.1k-1+deb11u1
and 2 more.✗ Low severity vulnerability found in openldap/libldap-2.4-2
Description: Improper Initialization
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-521320
Introduced through: gnupg2/dirmngr@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3✗ Low severity vulnerability found in openldap/libldap-2.4-2
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531344
Introduced through: gnupg2/dirmngr@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3✗ Low severity vulnerability found in openldap/libldap-2.4-2
Description: Cryptographic Issues
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531747
Introduced through: gnupg2/dirmngr@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3✗ Low severity vulnerability found in openldap/libldap-2.4-2
Description: Improper Certificate Validation
Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-584937
Introduced through: gnupg2/dirmngr@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-14/libpq5@14.1-1.pgdg110+1 > openldap/libldap-2.4-2@2.4.57+dfsg-3✗ Low severity vulnerability found in ncurses/libtinfo6
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-DEBIAN11-NCURSES-1655741
Introduced through: bash/bash@5.1-2+b3, ncurses/ncurses-bin@6.2+20201114-2, postgresql-12@12.9-1.pgdg110+1, util-linux/mount@2.36.1-8, gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, ncurses/ncurses-base@6.2+20201114-2
From: bash/bash@5.1-2+b3 > ncurses/libtinfo6@6.2+20201114-2
From: ncurses/ncurses-bin@6.2+20201114-2 > ncurses/libtinfo6@6.2+20201114-2
From: postgresql-12@12.9-1.pgdg110+1 > llvm-toolchain-11/libllvm11@1:11.0.1-2 > ncurses/libtinfo6@6.2+20201114-2
and 8 more.✗ Low severity vulnerability found in libxslt/libxslt1.1
Description: Use of Insufficiently Random Values
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBXSLT-514942
Introduced through: postgresql-12@12.9-1.pgdg110+1
From: postgresql-12@12.9-1.pgdg110+1 > libxslt/libxslt1.1@1.1.34-4✗ Low severity vulnerability found in libsepol/libsepol1
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315627
Introduced through: gnupg2/dirmngr@2.2.27-2
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1✗ Low severity vulnerability found in libsepol/libsepol1
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315629
Introduced through: gnupg2/dirmngr@2.2.27-2
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1✗ Low severity vulnerability found in libsepol/libsepol1
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315635
Introduced through: gnupg2/dirmngr@2.2.27-2
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1✗ Low severity vulnerability found in libsepol/libsepol1
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315641
Introduced through: gnupg2/dirmngr@2.2.27-2
From: gnupg2/dirmngr@2.2.27-2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1✗ Low severity vulnerability found in gnutls28/libgnutls30
Description: Improper Input Validation
Info: https://snyk.io/vuln/SNYK-DEBIAN11-GNUTLS28-515971
Introduced through: gnupg2/dirmngr@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > gnutls28/libgnutls30@3.7.1-5
From: gnupg2/dirmngr@2.2.27-2 > openldap/libldap-2.4-2@2.4.57+dfsg-3 > gnutls28/libgnutls30@3.7.1-5
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4 > gnutls28/libgnutls30@3.7.1-5✗ Low severity vulnerability found in apt/libapt-pkg6.0
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
Introduced through: postgresql-12@12.9-1.pgdg110+1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4✗ High severity vulnerability found in perl/perl-base
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
From: perl/libperl5.32@5.32.1-4+deb11u2
From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
and 4 more.✗ High severity vulnerability found in libgcrypt20
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
and 9 more.✗ Critical severity vulnerability found in glibc/libc-bin
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2
and 2 more.
Package manager: deb
Project name: docker-image|postgres
Docker image: postgres:12
Platform: linux/amd64
Base image: postgres:12.9-bullseyeTested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.According to our scan, you are currently using the most secure version of the selected base imageFor more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
You get below free scans per month:
Local vulnerability scans: 10 scans
Local vulnerability scans with Snyk: 200 scans
For more information refer to
https://docs.docker.com/engine/scan
https://www.docker.com/pricing
Please continue reading with Part2 here:
