docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13971 from usha-mandya/engdocs-553 

Update docker scan pages to include info on Log4J fix
This commit is contained in:
Usha Mandya 2021-12-15 12:05:48 +00:00 committed by GitHub
parent d50a80744c 7b0e7b94f4
commit 687bdaffaa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 113 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
develop/scan-images/index.md
View File

@ -5,12 +5,13 @@ keywords: docker scan, scan, images, snyk, vulnerability
---
{% include sign-up-cta.html
body="You can now get 10 free scans per month as part of your Docker subscription. Sign in to Docker to start scanning your images for vulnerabilities."
header-text="This feature requires a Docker subscription"
body="Did you know that you can now get 10 free scans per month? Sign in to Docker to start scanning your images for vulnerabilities."
header-text="Scan your images for free"
target-url="https://www.docker.com/pricing?utm_source=docker&utm_medium=webreferral&utm_campaign=docs_driven_upgrade_scan"
%}
This page contains recommendations and best practices for scanning and building secure images.
This page contains recommendations and best practices for scanning and building
secure images.
Docker and Snyk have partnered together to bring security natively into the development workflow by providing a simple and streamlined approach for developers to build and deploy secure containers. Container security spans multiple teams - developers, security, and operations. Additionally, there are multiple layers of security that apply to containers:
@ -25,6 +26,15 @@ Including the vulnerability scanning options into the Docker platform extends th
## Scanning images
> **Log4j 2 CVE-2021-44228**
>
> Versions of `docker scan` earlier than `v0.11.0` are not able to detect [Log4j 2
> CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228){:
> target="_blank" rel="noopener" class="_"}. You must update your Docker Desktop
> installation to version 4.3.1 or higher to fix this issue. For more information,
> see [Scan images for Log4j 2 CVE](../../engine/scan#scan-images-for-log4j-2-cve).
{: .important}
You can trigger scans automatically by pushing an image to Docker Hub. You can achieve this either through the `docker scan` command in the CLI, or through Docker Hub.
### Scan using the CLI

BIN
docker-hub/images/vuln-scan-report.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 130 KiB

After

Width:  |  Height:  |  Size: 17 KiB

27
docker-hub/vulnerability-scanning.md
View File

@ -10,15 +10,34 @@ title: Hub Vulnerability Scanning
target-url="https://www.docker.com/pricing?utm_source=docker&utm_medium=webreferral&utm_campaign=docs_driven_upgrade_scan"
%}
Docker Hub Vulnerability Scanning enables you to automatically scan Docker images for vulnerabilities using Snyk. This uses the same technology as the [docker scan](../engine/scan/index.md) command.
Docker Hub Vulnerability Scanning enables you to automatically scan Docker
images for vulnerabilities using Snyk. This uses the same technology as the
[docker scan](../engine/scan/index.md) command.
> When you enable Hub Vulnerability Scanning, you can also see whether your
> images are affected by Log4Shell (CVE-2021-44228). For more information, see
> [Scan images](#scan-images-on-docker-hub).
When you push an image to Docker Hub after enabling vulnerability scanning, Docker Hub automatically scans the image to identify vulnerabilities in your container images. Vulnerability Scanning allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. The scan result includes the source of the vulnerability, such as OS packages and libraries, version in which it was introduced, and a recommended fixed version (if available) to remediate the vulnerabilities discovered.
## Scan images
## Scan images on Docker Hub
Hub Vulnerability scanning allows repository owners and administrators of a Docker Pro, Team, or a Business tier to enable and disable scanning.
> **Log4j 2 CVE-2021-44228**
>
> Versions of `docker scan` earlier than `v0.11.0` are not able to detect [Log4j
2 CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228){:
target="_blank" rel="noopener" class="_"}. You must update your Docker
> installation to the latest version to fix this issue. For more
> information, see [Scan images for Log4j 2 CVE](../../engine/scan#scan-images-for-log4j-2-cve).
{: .important}
In addition, repository owners in a Docker Pro subscription and team members in a Team, or a Business subscription can view the detailed scan reports. When scanning is enabled on a specific repository, anyone with push access can trigger a scan by pushing an image to Docker Hub.
Hub Vulnerability scanning allows repository owners and administrators of a
Docker Pro, Team, or a Business tier to enable and disable scanning. When scanning is enabled on a specific repository, anyone with push access can trigger a scan by pushing an image to Docker Hub.
In addition, repository owners in a Docker Pro subscription and team members in a Team, or a Business subscription can view the detailed scan reports, including
information about whether or not an image is affected by the **Log4j 2 CVE**.
You must push the image to Docker Hub to trigger a scan that
allows you to view the Log4j 2 CVE results.
> **Note**
>

80
engine/scan/index.md
View File

@ -16,11 +16,85 @@ Looking to speed up your development cycles? Quickly detect and learn how to rem
Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.
Users trigger vulnerability scans through the CLI, and use the CLI to view the scan results. The scan results contain a list of Common Vulnerabilities and Exposures (CVEs), the sources, such as OS packages and libraries, versions in which they were introduced, and a recommended fixed version (if available) to remediate the CVEs discovered.
Users trigger vulnerability scans through the CLI, and use the CLI to view the
scan results. The scan results contain a list of Common Vulnerabilities and
Exposures (CVEs), the sources, such as OS packages and libraries, versions in
which they were introduced, and a recommended fixed version (if available) to
remediate the CVEs discovered.
> **Log4j 2 CVE-2021-44228**
>
> Versions of `docker Scan` earlier than `v0.11.0` are not able to detect [Log4j 2
> CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228){:
> target="_blank" rel="noopener" class="_"}. You must update your Docker
> Desktop installation to 4.3.1 or higher to fix this issue. For more
> information, see [Scan images for Log4j 2 CVE](#scan-images-for-log4j-2-cve).
{: .important}
For information about the system requirements to run vulnerability scanning, see [Prerequisites](#prerequisites).
This page contains information about the `docker scan` CLI command. For information about automatically scanning Docker images through Docker Hub, see [Hub Vulnerability Scanning](/docker-hub/vulnerability-scanning/).
This page contains information about the `docker scan` CLI command. For
information about automatically scanning Docker images through Docker Hub, see
[Hub Vulnerability Scanning](/docker-hub/vulnerability-scanning/).
## Scan images for Log4j 2 CVE
Docker Scan versions earlier than `v0.11.0` do not detect [Log4j 2
CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228){:
target="_blank" rel="noopener" class="_"} when you scan your
images for vulnerabilities. You must update your Docker installation to the
latest version to fix this issue.
If you are using the `docker scan` plugin shipped
with Docker Desktop, update Docker Desktop to version 4.3.1 or
higher. See the release notes for [Mac](../../desktop/mac/release-notes/index.md) and
[Windows](../../desktop/windows/release-notes/index.md) for download information.
If you are using Linux, run the following command to manually install the latest
version of `docker scan`:
On `.deb` based distros, such as Ubuntu and Debian:
```console
$ apt-get update && apt-get install docker-scan-plugin
```
On rpm-based distros, such as CentOS or Fedora:
```console
$ yum install docker-scan-plugin
```
Alternatively, you can manually download the `docker scan` binaries from the [Docker Scan](https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0){:
target="_blank" rel="noopener" class="_"} GitHub repository and
[install](https://github.com/docker/scan-cli-plugin){:
target="_blank" rel="noopener" class="_"} in the plugins directory.
### Verify the `docker scan` version
After upgrading `docker scan`, verify you are running the latest version by
running the following command:
```console
$ docker scan --accept-license --version
Version: v0.12.0
Git commit: 1074dd0
Provider: Snyk (1.790.0 (standalone))
```
If your code output contains `ORGAPACHELOGGINGLOG4J`, it is
likely that your code is affected by the Log4j 2 CVE-2021-44228 vulnerability. When you run the updated version of `docker scan`, you should also see a message
in the output log similar to:
```console
Upgrade org.apache.logging.log4j:log4j-core@2.14.0 to org.apache.logging.log4j:log4j-core@2.15.0 to fix
✗ Arbitrary Code Execution (new) [Critical Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.14.0
introduced by org.apache.logging.log4j:log4j-core@2.14.0
```
For more information, read our blog post [Apache Log4j 2
CVE-2021-44228](https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/){:
target="_blank" rel="noopener" class="_"}.
## How to scan images
@ -340,7 +414,7 @@ If you use the `--login` flag without any token, you will be redirected to the S
To run vulnerability scanning on your Docker images, you must meet the following requirements:
1. Download and install Docker Desktop.
1. Download and install the latest version of Docker Desktop.
- [Download for Mac with Intel chip](https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-amd64)
- [Download for Mac with Apple chip](https://desktop.docker.com/mac/main/arm64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-arm64)