Docker Scout for Your Kubernetes Cluster
Ajeet Singh Raina
Posted on November 16, 2023
Docker Scout is a collection of secure software supply chain capabilities that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.
Docker Scout analyzes the contents of container images and generates a report of packages and vulnerabilities that it detects, helping users to identify and remediate issues. Docker Scout is available through multiple interfaces, including the Docker Desktop, Docker Hub user interfaces, as well as a web-based user interface (scout.docker.com) and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.
Click Here to access a curated List of Docker Scout Resources
How Docker Scout works?
Docker Scout uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation recommendations) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.
How is Docker Scout different from other security tools?
Scout ditches traditional scheduled scans for a modern event-driven model. If a new vulnerability affecting your images is announced, Scout shows your updated risk within seconds. It’s always alert, updating vulnerability info from 17+ sources in real time. This data is compared with your Software Bill of Materials for up-to-the-minute accuracy.
You can also add your internal advisories to the mix, ensuring a comprehensive view of your security. So, with Scout, you’ll always be a step ahead, swiftly spotting and fixing vulnerabilities without the wait.
What is Skout and what problem does it solve?
Skout is not an official product of Docker but a tool built by Docker Staff Engineer Felipe Cruz. With skout, you can get a bird's eye view of the number of Common Vulnerabilities and Exposures (CVEs) detected in the container images running on your Kubernetes cluster.
GitHub URL: https://github.com/felipecruz91/skout
It's highly recommended to have Docker Desktop 4.17 or higher as skout will be using the docker scout CLI plugin that is shipped with that version of Docker Desktop.
Getting Started
- Install Docker Desktop 4.25.1
- Enable Kubernetes Cluster
Installing Skout
curl -LsO https://github.com/felipecruz91/skout/releases/download/0.0.3/skout_0.0.3_darwin_arm64.tar.gz
tar -xvf skout_0.0.3_darwin_arm64.tar.gz
sudo mv skout /usr/local/bin/skout
- Running Skout for the first time
skout
2023/11/16 10:44:55 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 10:44:55 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 10:44:55 Analyzing a total of 8 images, this may take a few seconds...
┌─────────────┬────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┬──────────────────────────────────────┐
│ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │
├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ kube-system │ coredns-5dd5756b68-bpjmm │ coredns (registry.k8s.io/coredns/coredns:v1.10.1) │ 2C 14H 10M 1L (27) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ coredns-5dd5756b68-hhvtg │ coredns (registry.k8s.io/coredns/coredns:v1.10.1) │ 2C 14H 10M 1L (27) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ etcd-docker-desktop │ etcd (registry.k8s.io/etcd:3.5.9-0) │ 0C 17H 13M 0L (30) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ kube-apiserver-docker-desktop │ kube-apiserver (registry.k8s.io/kube-apiserver:v1.28.2) │ 0C 6H 4M 0L (10) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ kube-controller-manager-docker-desktop │ kube-controller-manager (registry.k8s.io/kube-controller-manager:v1.28.2) │ 0C 6H 5M 0L (11) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ kube-proxy-q5xpg │ kube-proxy (registry.k8s.io/kube-proxy:v1.28.2) │ 0C 7H 9M 0L (16) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ kube-scheduler-docker-desktop │ kube-scheduler (registry.k8s.io/kube-scheduler:v1.28.2) │ 0C 6H 4M 0L (10) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ storage-provisioner │ storage-provisioner (docker/desktop-storage-provisioner:v2.0) │ 3C 50H 19M 1L (73) │
│ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ vpnkit-controller │ vpnkit-controller (docker/desktop-vpnkit-controller:dc331cb22850be0cdd97c84a9cfecaf44a1afb6e) │ 0C 3H 7M 0L (10) │
├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ │ │ TOTAL │ 7C 123H 81M 3L (214) │
└─────────────┴────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┴──────────────────────────────────────┘
Scout Demo Service
To demonstrate Skout, let us pick up a Scout Sample app based on this repository. This repository holds an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image.
Clone the repository
git clone https://github.com/docker/scout-demo-service
cd scout-demo-service
docker build -t ajeetraina/docker-scout-demo:0.1
The provided YAML manifests define a Kubernetes Namespace and a Deployment within that Namespace. Let's take a look:
---
apiVersion: v1
kind: Namespace
metadata:
name: ns2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: scout-demo-service-deployment
namespace: ns2
spec:
selector:
matchLabels:
app: scout-demo
replicas: 1
template:
metadata:
labels:
app: scout-demo
spec:
containers:
- name: scout-demo
image: ajeetraina/docker-scout-demo:0.1
ports:
- containerPort: 3000
Line 1-4:
This declares a Namespace named ns2. Namespaces provide a way to logically organize resources in a Kubernetes cluster. They allow you to isolate resources and control access to them.
Line 4 -24:
This defines a Deployment named scout-demo-service-deployment within the ns2 Namespace. A Deployment ensures that a specified number of Pod replicas are running at all times.
- replicas: 1 indicates that there should always be one running Pod for this Deployment.
- selector matches Pods with the label app: scout-demo, ensuring that the Deployment manages those Pods.
The Deployment's template defines the Pod spec:
- image: ajeetraina/docker-scout-demo:0.1 specifies the Docker image to use for the Pod's container.
- ports defines a port mapping for the container. In this case, the container's port 3000 will be exposed to the external port 3000.
When you apply these manifests, Kubernetes will create the Namespace ns2 and deploy a single Pod based on the scout-demo-service-deployment definition. The Pod will run the specified Docker image and expose port 3000.
Apply the Manifest
kubectl apply -f scout-demo.yaml
Running Skout for Kubernetes Pod
skout --namespace ns2
2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds...
┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐
│ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ ns2 │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │ 0C 0H 0M 0L (0) │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ │ │ TOTAL │ 0C 0H 0M 0L (0) │
└───────────┴───────────────────────────────────────────────┴───────────────────────────────────────────────┴─────────────────────────────────┘
It shows that the Docker Scout Demo service has high vulnerabilities.
Fixing the Vulnerabilities
Let's fix the vulnerabilities by changing the express version in package.json file from:
"dependencies": {
"express": "4.17.1"
to
"dependencies": {
"express": "4.17.3"
and then re-building the Docker image. I have already built and named this new Docker image as ajeetraina/docker-scout-demo:1.0
.
The new YAML file look like:
---
apiVersion: v1
kind: Namespace
metadata:
name: ns2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: scout-demo-service-deployment
namespace: ns2
spec:
selector:
matchLabels:
app: scout-demo
replicas: 1
template:
metadata:
labels:
app: scout-demo
spec:
containers:
- name: scout-demo
image: ajeetraina/docker-scout-demo:1.0
ports:
- containerPort: 3000
Apply the Manifest
kubectl apply -f scout-demo.yaml
Running Skout for Kubernetes Pod
skout --namespace ns2
2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds...
┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐
│ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ ns2 │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │ 0C 0H 0M 0L (0) │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ │ │ TOTAL │ 0C 0H 0M 0L (0) │
Resources
Posted on November 16, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.