Docker Scout for Your Kubernetes Cluster

ajeetraina

Ajeet Singh Raina

Posted on November 16, 2023

Docker Scout for Your Kubernetes Cluster

Docker Scout is a collection of secure software supply chain capabilities that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.

Docker Scout analyzes the contents of container images and generates a report of packages and vulnerabilities that it detects, helping users to identify and remediate issues. Docker Scout is available through multiple interfaces, including the Docker Desktop, Docker Hub user interfaces, as well as a web-based user interface (scout.docker.com) and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.

Click Here to access a curated List of Docker Scout Resources

How Docker Scout works?

Docker Scout uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation recommendations) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.

How is Docker Scout different from other security tools?

Scout ditches traditional scheduled scans for a modern event-driven model. If a new vulnerability affecting your images is announced, Scout shows your updated risk within seconds. It’s always alert, updating vulnerability info from 17+ sources in real time. This data is compared with your Software Bill of Materials for up-to-the-minute accuracy.

You can also add your internal advisories to the mix, ensuring a comprehensive view of your security. So, with Scout, you’ll always be a step ahead, swiftly spotting and fixing vulnerabilities without the wait.

What is Skout and what problem does it solve?

Skout is not an official product of Docker but a tool built by Docker Staff Engineer Felipe Cruz. With skout, you can get a bird's eye view of the number of Common Vulnerabilities and Exposures (CVEs) detected in the container images running on your Kubernetes cluster.

GitHub URL: https://github.com/felipecruz91/skout

It's highly recommended to have Docker Desktop 4.17 or higher as skout will be using the docker scout CLI plugin that is shipped with that version of Docker Desktop.

Getting Started

  • Install Docker Desktop 4.25.1

Image1

  • Enable Kubernetes Cluster

Image2

Installing Skout

curl -LsO  https://github.com/felipecruz91/skout/releases/download/0.0.3/skout_0.0.3_darwin_arm64.tar.gz
tar -xvf skout_0.0.3_darwin_arm64.tar.gz
sudo mv skout /usr/local/bin/skout
Enter fullscreen mode Exit fullscreen mode
  • Running Skout for the first time
skout
2023/11/16 10:44:55 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 10:44:55 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 10:44:55 Analyzing a total of 8 images, this may take a few seconds...
┌─────────────┬────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┬──────────────────────────────────────┐
│ NAMESPACE   │ POD                                    │ CONTAINER (IMAGE)                                                                             │ VULNERABILITIES                      │
├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ kube-system │ coredns-5dd5756b68-bpjmm               │ coredns (registry.k8s.io/coredns/coredns:v1.10.1)                                             │   2C     14H     10M     1L   (27)   │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ coredns-5dd5756b68-hhvtg               │ coredns (registry.k8s.io/coredns/coredns:v1.10.1)                                             │   2C     14H     10M     1L   (27)   │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ etcd-docker-desktop                    │ etcd (registry.k8s.io/etcd:3.5.9-0)                                                           │   0C     17H     13M     0L   (30)   │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ kube-apiserver-docker-desktop          │ kube-apiserver (registry.k8s.io/kube-apiserver:v1.28.2)                                       │   0C     6H     4M     0L   (10)     │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ kube-controller-manager-docker-desktop │ kube-controller-manager (registry.k8s.io/kube-controller-manager:v1.28.2)                     │   0C     6H     5M     0L   (11)     │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ kube-proxy-q5xpg                       │ kube-proxy (registry.k8s.io/kube-proxy:v1.28.2)                                               │   0C     7H     9M     0L   (16)     │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ kube-scheduler-docker-desktop          │ kube-scheduler (registry.k8s.io/kube-scheduler:v1.28.2)                                       │   0C     6H     4M     0L   (10)     │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ storage-provisioner                    │ storage-provisioner (docker/desktop-storage-provisioner:v2.0)                                 │   3C     50H     19M     1L   (73)   │
│             ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │ vpnkit-controller                      │ vpnkit-controller (docker/desktop-vpnkit-controller:dc331cb22850be0cdd97c84a9cfecaf44a1afb6e) │   0C     3H     7M     0L   (10)     │
├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤
│             │                                        │ TOTAL                                                                                         │   7C     123H     81M     3L   (214) │
└─────────────┴────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┴──────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

Scout Demo Service

To demonstrate Skout, let us pick up a Scout Sample app based on this repository. This repository holds an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image.

Clone the repository

 git clone https://github.com/docker/scout-demo-service
 cd scout-demo-service
 docker build -t ajeetraina/docker-scout-demo:0.1
Enter fullscreen mode Exit fullscreen mode

The provided YAML manifests define a Kubernetes Namespace and a Deployment within that Namespace. Let's take a look:

---
apiVersion: v1
kind: Namespace
metadata:
  name: ns2
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: scout-demo-service-deployment
  namespace: ns2
spec:
  selector:
    matchLabels:
      app: scout-demo
  replicas: 1
  template:
    metadata:
      labels:
        app: scout-demo
    spec:
      containers:
      - name: scout-demo
        image: ajeetraina/docker-scout-demo:0.1
        ports:
        - containerPort: 3000
Enter fullscreen mode Exit fullscreen mode

Line 1-4:

This declares a Namespace named ns2. Namespaces provide a way to logically organize resources in a Kubernetes cluster. They allow you to isolate resources and control access to them.

Line 4 -24:

This defines a Deployment named scout-demo-service-deployment within the ns2 Namespace. A Deployment ensures that a specified number of Pod replicas are running at all times.

  • replicas: 1 indicates that there should always be one running Pod for this Deployment.
  • selector matches Pods with the label app: scout-demo, ensuring that the Deployment manages those Pods.

The Deployment's template defines the Pod spec:

  • image: ajeetraina/docker-scout-demo:0.1 specifies the Docker image to use for the Pod's container.
  • ports defines a port mapping for the container. In this case, the container's port 3000 will be exposed to the external port 3000.

When you apply these manifests, Kubernetes will create the Namespace ns2 and deploy a single Pod based on the scout-demo-service-deployment definition. The Pod will run the specified Docker image and expose port 3000.

Apply the Manifest

 kubectl apply -f scout-demo.yaml
Enter fullscreen mode Exit fullscreen mode

Running Skout for Kubernetes Pod

skout --namespace ns2
2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds...
┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐
│ NAMESPACE │ POD                                           │ CONTAINER (IMAGE)                             │ VULNERABILITIES                 │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ ns2       │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │   0C     0H     0M     0L   (0) │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│           │                                               │ TOTAL                                         │   0C     0H     0M     0L   (0) │
└───────────┴───────────────────────────────────────────────┴───────────────────────────────────────────────┴─────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

It shows that the Docker Scout Demo service has high vulnerabilities.

Fixing the Vulnerabilities

Let's fix the vulnerabilities by changing the express version in package.json file from:

"dependencies": {
    "express": "4.17.1"
Enter fullscreen mode Exit fullscreen mode

to

"dependencies": {
    "express": "4.17.3"
Enter fullscreen mode Exit fullscreen mode

and then re-building the Docker image. I have already built and named this new Docker image as ajeetraina/docker-scout-demo:1.0.

The new YAML file look like:

---
apiVersion: v1
kind: Namespace
metadata:
  name: ns2
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: scout-demo-service-deployment
  namespace: ns2
spec:
  selector:
    matchLabels:
      app: scout-demo
  replicas: 1
  template:
    metadata:
      labels:
        app: scout-demo
    spec:
      containers:
      - name: scout-demo
        image: ajeetraina/docker-scout-demo:1.0
        ports:
        - containerPort: 3000
Enter fullscreen mode Exit fullscreen mode

Apply the Manifest

 kubectl apply -f scout-demo.yaml
Enter fullscreen mode Exit fullscreen mode

Running Skout for Kubernetes Pod

skout --namespace ns2
2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0
2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images
2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds...
┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐
│ NAMESPACE │ POD                                           │ CONTAINER (IMAGE)                             │ VULNERABILITIES                 │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│ ns2       │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │   0C     0H     0M     0L   (0) │
├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤
│           │                                               │ TOTAL                                         │   0C     0H     0M     0L   (0) │
Enter fullscreen mode Exit fullscreen mode

Resources

💖 💪 🙅 🚩
ajeetraina
Ajeet Singh Raina

Posted on November 16, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related