Quickly assess Docker images
Accelerate Your Image Assessment
Quickly assess Docker images using Docker scan and Docker Official images
What are Docker Official Images?
Docker Official Images are a curated set of Docker repositories hosted on Docker Hub. Images that are part of this program have a special badge on Docker Hub making it easier for you to identify projects that are official Docker images.
These images provide essential base repositories that serve as the starting point for most users.
Consider a practical scenario: Suppose we want to incorporate an Nginx image into our project, the initial step involves searching for the desired image nginx
docker search --format "table {{.Name}}\t{{.StarCount}}\t{{.IsOfficial}}" nginx
Next, we’re going the select the desired Official Image (most likely will also have the highest number of starts) and afterwards use DockerHub’s API to search the available tags.
Let’s opt for 1.24.0-perl tag and proceed with pulling the image.
What is Docker Scout?
Docker Scout comes as a plugin within Docker Desktop and helps to analyze container images, more exactly it provides the means to scan and fix vulnerabilities in the images that you plan to use.
I’m going to use the command line tool for Docker Scout (Version: 0.16.1). To quickly view the summary of image vulnerabilities and recommendations, simply just docker scout quickview nginx .
Even more, if you want to learn more about the vulnerabilities, you can have a detailed report with the cves detected in the container image.
docker scout cves nginx:1.24.0-perl -o nginx.scan
Conclusions
Leveraging Docker products and plugins is rather straightforward to “Shift Left” and incorporate security best practices as early as possible.
Currently, Docker Scout is at v1.2.2 and can be integrated with other third-party systems (e.g. container registries) to get access to even more insights like the composition of images that aren’t hosted on Docker Hub.
