Welcome to the Docker security report “Shifting Docker security left”.
This report is split into several posts:
Or download our lovely handcrafted pdf report which contains all of this information and more in one place:
Known vulnerabilities in Docker images
Docker Hub is the main source for publicly available Docker images. While Docker advises you to use official images or Docker-certified images as a security best practice, it can be seen that the top 10 most popular Docker images each contains vulnerabilities. All of these images are official images.
Accordingly, we decided to scan through ten of the most popular images with Snyk’s recently released container vulnerability management features.
For every Docker image that we scanned, we were able to find vulnerable versions of system libraries. The last scan as of March 11, 2019 shows that the official Node.js image ships with 567 vulnerable system libraries. The remaining nine images ship with at least 31 publicly known vulnerabilities each.
Vulnerabilities in base images
The majority of vulnerabilities are found in the operating system (OS) layer. The images described in the previous section are images that are built on top of a base image. Therefore, the choice of a good base image is crucial in decreasing the number of vulnerabilities.
The node image is built on top of one of the buildpack- deps images. The Docker buildpack-deps are a collection of common build dependencies used for installing various modules and widely used as a base image for building other images.
Currently, the default buildpack-deps version is
stretch, which refers to the Linux distribution (distro) on which it is based. This stretch version contains 567 vulnerabilities—-corresponding precisely to the number of vulnerabilities in the latest node image that uses this buildpack-deps image as its base image. It is striking that the three buildpacks that are based on ubuntu images (xenial, biomic and cosmic) contain fewer vulnerabilities than the debian-based buildpacks, suggesting that currently ubuntu-based images are a better choice from a security standpoint.