Vulnerability Assessment on docker images (free!) using Synk guide.
Disclaimer: Do note that there are other ways to perform a Docker Image VA and that includes paid and free methods.
- Docker Hub
Firstly, download the Docker Desktop client via the following link:
Link: https://hub.docker.com/editions/community/docker-ce-desktop-windows
Next, create a docker hub account. Note your dockerID as we will be using it for integration with Synk later on.
After it is fully setup, run the following command to verify installation is completed, version installed is proper and finally commands are working.
docker version
docker run hello-world
2. Synk
Firstly, head to the following link to setup a free synk account.
Link: https://app.snyk.io/login?cta=sign-up&loc=nav&page=homepage
After everything is completed, login to your account and execute the following steps:
- Choose another integration
- Docker Hub
- Setup Accordingly
At this point, you should have your docker and synk connected. Therefore, you can now perform a vulnerability assessment on your images using Synk Engine.
Fast Scan (Local)
To perform a scan, we will need to first load the image that you want to scan into docker.
docker load < *Path to image*
Next, we can check the image ID of the image that we have loaded into docker.
docker images
Sample output:
REPOSITORY TAG IMAGE ID CREATED
nexus3:5000/ecq/xxx-console-api 21.10.2 09da3fc5be9f 6 days
And lastly, we can scan using the following command.
docker scan nexus3:5000/ecq/xxx-console-api:21.10.2 --dependency-tree --file "xxx-console-api_21.10.2.tgz-xxxx-12-6 14.31.1.tgz"
lktniloc 
Leave a comment