Contact UsGet started

Scanning Docker images for vulnerabilities

Written by
Updated at November 18, 2024

You can scan Docker images pushed to a registry for vulnerabilities. You can do this:

Warning

  • The vulnerability database is constantly updated with sources containing information on vulnerabilities.
  • For some vulnerabilities, there is no information regarding which package versions they will be fixed in. This is because such information is unavailable from current sources.
  • The number of Docker image scans you can run per cloud is limited.
  • Scanning Docker images for vulnerabilities is charged.

Manually

  1. In the management console, select the parent folder for the registry containing the Docker image.
  2. Select Container Registry.
  3. Select the registry containing the Docker image or create a new one and push an image to it.
  4. Open the repository with the Docker image.
  5. Click next to the Docker image and select Scan.
  6. Wait for the scan to complete. During the scan, the Docker image scan status will be Scanning and, once completed, it will change to Ready.
  7. Review the scan results. To do this, in the row of the relevant Docker image, click the value in the Date of last scan column.

To view Docker image scans, select the relevant image and go to the Scan history tab.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Get a list of the Docker images in a registry:

    yc container image list --repository-name=<registry_ID>/<Docker_image_name>

    Result:

    +----------------------+---------------------+-----------------------------+---------+-----------------+
|          ID          |       CREATED       |            NAME             |  TAGS   | COMPRESSED SIZE |
+----------------------+---------------------+-----------------------------+---------+-----------------+
| crpqmsqp5mtb******** | 2021-02-09 08:57:14 | crpp7p7dovf4********/ubuntu | example | 27.2 MB         |
+----------------------+---------------------+-----------------------------+---------+-----------------+

  2. Start a Docker image scan:

    yc container image scan <Docker_image_ID>

    Result:

    done (24s)
id: che1el9t4t95********
image_id: crpqmsqp5mtb********
...
  medium: "6"
  low: "13"
  negligible: "3"

  3. Get detailed information on the scan results:

    yc container image list-vulnerabilities --scan-result-id=<scan_result_ID>

    Result:

    +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
|  SEVERITY  |      NAME      | PACKAGE |     VERSION     | FIXED BY |                             LINK                              |
+------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
...
| NEGLIGIBLE | CVE-2016-10228 | glibc   | 2.31-0ubuntu9.1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 |
| NEGLIGIBLE | CVE-2017-11164 | pcre3   | 2:8.39-12build1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164 |
| NEGLIGIBLE | CVE-2020-14155 | pcre3   | 2:8.39-12build1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155 |
+------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+

    To view scans by Docker image, run the command:

    yc container image list-scan-results --repository-name=<registry_ID>/<Docker_image_name>

    Result:

    +----------------------+----------------------+---------------------+--------+--------------------------------+
|          ID          |        IMAGE         |     SCANNED AT      | STATUS |        VULNERABILITIES         |
+----------------------+----------------------+---------------------+--------+--------------------------------+
| che1el9t4t95******** | crpqmsqp5mtb******** | 2021-03-16 14:34:02 | READY  | medium:6, low:13, negligible:3 |
+----------------------+----------------------+---------------------+--------+--------------------------------+

To scan a Docker image, use the scan REST API method for the Scanner resource or the ScannerService/Scan gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilities gRPC API call.

On push

  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select Container Registry.
  3. Choose a registry or create a new one.
  4. Go to the Vulnerability scanner tab.
  5. Click Edit settings.
  6. Under Scan Docker images when uploading, select Scan and one of the scanning options:
    • All repositories to scan all registry repositories.
    • Selected to scan only selected repositories:
      1. Click Select repositories.
      2. Select the appropriate repositories from the list.
      3. Click Save.
  7. Click Save.

To automatically scan Docker images on push to a registry, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.

On schedule

  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select Container Registry.
  3. Choose a registry or create a new one.
  4. Go to the Vulnerability scanner tab.
  5. Click Edit settings.
  6. Under Scheduled Docker image scans, click Add scan rule.
  7. Select Scan and one of the scanning options:
    • All repositories to scan all registry repositories.
    • Selected to scan only selected repositories:
      1. Click Select repositories.
      2. Select the appropriate repositories from the list.
      3. Click Save.
  8. Specify the frequency of Docker image scans.
  9. Click Save.

To run scheduled Docker image scans, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.

Previous
Deleting a lifecycle policy
Next
Creating a trigger for a registry