Ensuring Docker Image Security: A Comprehensive Guide
Written on
Chapter 1: Understanding Docker Image Safety
When it comes to utilizing Docker images sourced from Docker Hub, how can you ensure their safety?
Photo by Timelab Pro on Unsplash
Only a small percentage of public images on Docker Hub undergo verification and scrutiny. Generally, Docker Hub hosts three categories of images:
- Verified: These high-quality images come from confirmed publishers and have been examined by the Docker team for any security vulnerabilities.
- Official: This curated collection features quality Docker images, but they lack rigorous security evaluations. While deemed generally safe, caution is still advised.
- Public: These images can be published by anyone, making it crucial to approach unverified public images with skepticism.
To determine whether a Docker image is safe, it's essential to check if the Open Source Software libraries it relies on are up-to-date and patched against known vulnerabilities (CVEs).
In this guide, we will explore how to scrutinize an image for CVEs and uncover security weaknesses prior to deployment. This step is vital for both production environments and local usage.
Learning Rate is a newsletter aimed at those eager to learn more about AI and MLOps. Join me on the first Saturday of each month for insights on the latest AI developments and articles. Subscribe here!
How Can You Trust a Docker Image?
If you're publishing an image on Docker Hub, it's advisable to sign your Docker Image using Docker Content Trust. When pulling an image, opt for those that are signed. However, this method does not analyze the internal structure of the image for vulnerabilities.
Securing Your Public Docker Images
If viruses could be considered a form of life, then we have indeed created life in our own image.
towardsdatascience.com
What steps can you take? There are two key actions to consider. First, utilize vetted images from reliable sources as your base when constructing your image. Next, conduct a thorough inspection of the final image, breaking it down into separate layers and examining each one for potential vulnerabilities.
Each Docker image layer consists of a software Bill of Materials (BOM), which simply lists the libraries and dependencies required for the image to function correctly. By dissecting the image into its individual layers, the aim is to identify any vulnerabilities within the libraries and packages listed in the BOM.
Breaking Down the BOM
Photo by Tamanna Rumee on Unsplash
To effectively analyze the BOM, you must understand its components. The BOM consists of:
- Libraries directly utilized by the software.
- Other software dependencies that the libraries require.
Both categories must be accounted for to create a comprehensive list of materials that comprise your image. For this analysis, we will employ Syft.
Syft Installation
To install Syft, please refer to the official repository documentation. For instance, the recommended installation method for Linux is to execute the following command:
Examining an Image with Syft
Let’s proceed by pulling the Ubuntu Bionic Beaver image and analyzing its components. First, we will download the image:
docker pull ubuntu:18.04
To view the BOM for this image, execute the following command:
syft ubuntu:18.04
The output will display the 89 packages that constitute the Ubuntu Bionic Beaver image.
Syft results — Image by author
This marks a significant first step, as we now have the BOM for the image. But how can we ascertain whether these packages harbor critical CVEs? Should we check each one against a CVE database individually? Fortunately, there is a more efficient tool available: grype.
Grype Installation
To install grype, please consult the official repository documentation. For Linux distributions, the recommended command is:
Checking an Image for CVEs
To assess the Ubuntu Bionic Beaver image pulled earlier for CVEs, simply run:
grype ubuntu:18.04
Grype results — Image by author
Fortunately, there are no high or critical severity CVEs present today. Next, let’s analyze a random public image for comparison:
grype ocdr/pytorchserver:1.9
Grype results — Image by author
The ocdr/pytorchserver:1.9 image shows several critical CVEs due to dependencies like Pillow and log4j. Would you consider using this image now that you are aware of its vulnerabilities?
However, it's worth noting that many CVEs can be resolved easily. For instance, grype indicates that all critical CVEs associated with the Pillow library have been addressed in version 9.0.0. Thus, updating Pillow to version 9.0.0 and rebuilding the image will mitigate the risks.
Conclusion
A mere fraction of public images available on Docker Hub are verified and assessed for security. In this guide, we demonstrated how to pull an image, analyze its BOM, and check it for security weaknesses.
This approach is essential whether you plan to deploy in a production setting or run a single image locally. How can you ensure it won't compromise your system?
In the next article, we will delve into Docker and Kubernetes security, focusing on real-time system monitoring and security event scanning during runtime.
About the Author
My name is Dimitris Poulopoulos, and I’m a machine learning engineer at Arrikto. I have developed and implemented AI and software solutions for prominent clients, including the European Commission, Eurostat, IMF, European Central Bank, OECD, and IKEA.
If you wish to explore more content on Machine Learning, Deep Learning, Data Science, and DataOps, follow me on Medium, LinkedIn, or @james2pl on Twitter.
All opinions expressed are solely my own and do not reflect the views or opinions of my employer.
Chapter 2: Practical Video Resources
Building and Running a Docker Image
This video offers a step-by-step guide on how to build and run Docker images safely, emphasizing best practices and essential tools.
How to Run Docker Images
In this tutorial, learn the fundamental techniques for running Docker images effectively while ensuring their security.