Scanning Docker images for vulnerabilities
You can scan Docker images pushed to a registry for vulnerabilities. You can do this:
Warning
- The vulnerability database is constantly updated with sources containing information on vulnerabilities.
- For some vulnerabilities, there is no information regarding which package versions they will be fixed in. This is because such information is unavailable from current sources.
- The number of Docker image scans you can run per cloud is limited.
- Scanning Docker images for vulnerabilities is charged.
Manually
- In the management console
, select the parent folder for the registry containing the Docker image. - Select Container Registry.
- Select the registry containing the Docker image or create a new one and push an image to it.
- Open the repository with the Docker image.
- Click
next to the Docker image and select Scan. - Wait for the scan to complete. During the scan, the Docker image scan status will be
Scanning
and, once completed, it will change toReady
. - Review the scan results. To do this, in the row of the relevant Docker image, click the value in the Date of last scan column.
To view Docker image scans, select the relevant image and go to the Scan history tab.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Get a list of the Docker images in a registry:
yc container image list --repository-name=<registry_ID>/<Docker_image_name>
Result:
+----------------------+---------------------+-----------------------------+---------+-----------------+ | ID | CREATED | NAME | TAGS | COMPRESSED SIZE | +----------------------+---------------------+-----------------------------+---------+-----------------+ | crpqmsqp5mtb******** | 2021-02-09 08:57:14 | crpp7p7dovf4********/ubuntu | example | 27.2 MB | +----------------------+---------------------+-----------------------------+---------+-----------------+
-
Start a Docker image scan:
yc container image scan <Docker_image_ID>
Result:
done (24s) id: che1el9t4t95******** image_id: crpqmsqp5mtb******** ... medium: "6" low: "13" negligible: "3"
-
Get detailed information on the scan results:
yc container image list-vulnerabilities --scan-result-id=<ID_of_scan_results>
Result:
+------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+ | SEVERITY | NAME | PACKAGE | VERSION | FIXED BY | LINK | +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+ ... | NEGLIGIBLE | CVE-2016-10228 | glibc | 2.31-0ubuntu9.1 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 | | NEGLIGIBLE | CVE-2017-11164 | pcre3 | 2:8.39-12build1 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164 | | NEGLIGIBLE | CVE-2020-14155 | pcre3 | 2:8.39-12build1 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155 | +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
To view scans by Docker image, run the command:
yc container image list-scan-results --repository-name=<registry_ID>/<Docker_image_name>
Result:
+----------------------+----------------------+---------------------+--------+--------------------------------+ | ID | IMAGE | SCANNED AT | STATUS | VULNERABILITIES | +----------------------+----------------------+---------------------+--------+--------------------------------+ | che1el9t4t95******** | crpqmsqp5mtb******** | 2021-03-16 14:34:02 | READY | medium:6, low:13, negligible:3 | +----------------------+----------------------+---------------------+--------+--------------------------------+
To scan a Docker image, use the scan REST API method for the Scanner resource or the ScannerService/Scan gRPC API call.
To get the scanResultId
scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.
To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilities gRPC API call.
On push
- In the management console
, select the folder that the registry with Docker images belongs to. - Select Container Registry.
- Choose a registry or create a new one.
- Go to the Vulnerability scanner tab.
- Click Edit settings.
- Under Scan Docker images when uploading, select Scan and one of the scanning options:
All repositories
to scan all registry repositories.Selected
to scan only selected repositories:- Click Select repositories.
- Select the appropriate repositories from the list.
- Click Save.
- Click Save.
To automatically scan Docker images on push to a registry, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.
To get the scanResultId
scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.
To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.
On schedule
- In the management console
, select the folder that the registry with Docker images belongs to. - Select Container Registry.
- Choose a registry or create a new one.
- Go to the Vulnerability scanner tab.
- Click Edit settings.
- Under Scheduled Docker image scans, click Add scan rule.
- Select Scan and one of the scanning options:
All repositories
to scan all registry repositories.Selected
to scan only selected repositories:- Click Select repositories.
- Select the appropriate repositories from the list.
- Click Save.
- Specify the frequency of Docker image scans.
- Click Save.
To run scheduled Docker image scans, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.
To get the scanResultId
scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.
To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.