Docker announced Docker Security Scanning, an opt-in service for Docker Cloud private repo plans that provides a security assessment of the software included in container images. It enables detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security across the entire software supply chain.
Docker Security Scanning provides binary level scanning, generating a detailed security profile for each Docker image, including details that allow IT operations to assess if the software meets its security compliance standards. The service works with existing dev and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment.
Docker Security Scanning works across any application and across all major Linux distributions which allow for integration into a Containers as a Service (CaaS) workflow that improves an organization’s security posture through central IT managed secure content.
Secure the global software supply chain
Also released as part of this security enhancement is an update to Docker Bench, which automates validating a host’s configuration against the CIS Benchmark recommendations. With this update, Docker users can implement recommendations from the latest CIS Docker Benchmark to ensure that their platform is configured to be in-line with the best practices outlined for Docker Engine 1.11.
“We’ve made it our goal to secure the global software supply chain from development, test to production,” said Nathan McCauley, Director of Security at Docker. “As with all of Docker’s tooling, Docker Security Scanning works as an integrated component without any disruption to developer productivity. In fact, Docker Security Scanning enables developers to accelerate their workflows while providing greater visibility into the Docker images they choose to run in their environment. In turn, with usable security capabilities and granular control, IT operations is able to flexibly configure the security policies needed to safeguard their infrastructure.”
Docker image scanning and vulnerability detection provide a container-optimized capability for granular auditing of images. The results are presented in a Bill of Materials containing the details of the image layers and components, along with the security profile of each component. This allows ISVs and app teams to make informed decisions regarding that content based on their respective security policies.
With this information, ISVs can actively fix vulnerabilities to maintain high-quality security profiles of their content that they can then transparently expose to their end users. Meanwhile, app teams can decide if they want to use an ISV image based on the displayed profile and flexibly use Security Scanning to check the additional code before deciding to deploy.
Maintaining software compliance
In addition to improving the integrity of container content, Security Scanning streamlines ongoing operations by automating the cumbersome aspects of maintaining software compliance. Previously, IT operations would have to rely on the information published by each ISV on the state of their content to the CVE (Common Vulnerability and Exposures) databases and have to manually monitor the CVE databases for any issues.
Docker Security Scanning automates this process and notifies the organization when a CVE is reported for any component within the images, enabling IT to address the issue quickly. With Docker, ISVs will have an opportunity to market their up-to-date secure content, with thorough details on what’s inside the container image, to a user community that is pulling 4,000 containers a minute.
Docker Security Scanning is available as an add-on to Docker Cloud private repositories. The feature is free for private repository subscribers until August 1st, 2016, and you can opt-in to begin using the service from the Plan page in Docker Cloud.
During the free period, Docker Cloud scans the three most recently updated tags in each of your private repositories. You can push an update to an older tag to trigger a scan. The scan runs on each new image push, and updates the scan results when new information comes in from the CVE databases.