image-security-scanner
Scans Docker images for security vulnerabilities, outdated packages, and misconfigurations. Use when checking image security, finding vulnerabilities, or hardening containers.
Install
npx skillscat add armanzeroeight/fastagent-plugins/image-security-scanner Install via the SkillsCat registry.
Image Security Scanner
Scan and secure Docker images for production deployment.
Quick Start
Scan an image:
docker scan myapp:latest
# or
trivy image myapp:latestInstructions
Step 1: Choose Scanning Tool
Docker Scan (built-in):
docker scan myapp:latestTrivy (comprehensive):
trivy image myapp:latestGrype (fast):
grype myapp:latestSnyk (detailed):
snyk container test myapp:latestStep 2: Run Security Scan
Basic scan:
docker scan myapp:latestDetailed scan with Trivy:
trivy image --severity HIGH,CRITICAL myapp:latestScan with JSON output:
trivy image -f json -o results.json myapp:latestStep 3: Analyze Results
Review findings by severity:
- CRITICAL: Immediate action required
- HIGH: Fix soon
- MEDIUM: Plan to fix
- LOW: Monitor
Common vulnerabilities:
- Outdated base image
- Vulnerable packages
- Known CVEs
- Misconfigurations
Step 4: Fix Vulnerabilities
Update base image:
# Before
FROM node:18-alpine3.17
# After
FROM node:18-alpine3.18Update packages:
RUN apk upgrade --no-cache
# or
RUN apt-get update && apt-get upgrade -yRemove vulnerable packages:
RUN apk del vulnerable-packageUse distroless for minimal attack surface:
FROM gcr.io/distroless/nodejs18-debian11Step 5: Implement Security Best Practices
Run as non-root:
USER nobody
# or
RUN adduser -D appuser
USER appuserRemove unnecessary tools:
RUN apk del apk-toolsUse read-only filesystem:
# In docker-compose or k8s
read_only: trueAdd security labels:
LABEL security.scan-date="2024-01-15"
LABEL security.scanner="trivy"Step 6: Verify Fixes
Re-scan after fixes:
docker build -t myapp:latest .
trivy image myapp:latestCompare before/after:
# Before: 15 HIGH, 5 CRITICAL
# After: 2 HIGH, 0 CRITICALScanning Patterns
CI/CD Integration:
# GitHub Actions
- name: Scan image
run: |
docker build -t myapp:${{ github.sha }} .
trivy image --exit-code 1 --severity CRITICAL myapp:${{ github.sha }}Pre-deployment scan:
#!/bin/bash
IMAGE=$1
trivy image --severity HIGH,CRITICAL $IMAGE
if [ $? -ne 0 ]; then
echo "Security vulnerabilities found!"
exit 1
fiScheduled scans:
# Cron job to scan running images
0 2 * * * trivy image --severity HIGH,CRITICAL $(docker images -q)Security Hardening
Minimal base image:
FROM alpine:3.18
# or
FROM gcr.io/distroless/static-debian11No secrets in image:
# Bad
ENV API_KEY=secret123
# Good
# Pass at runtime
docker run -e API_KEY=$API_KEY myappHealth checks:
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost:8080/health || exit 1Limit capabilities:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myappCommon Vulnerabilities
Outdated base image:
# Vulnerable
FROM node:16-alpine
# Fixed
FROM node:18-alpine3.18Exposed secrets:
# Vulnerable
COPY .env .
# Fixed
# Use runtime secretsRunning as root:
# Vulnerable
CMD ["node", "server.js"]
# Fixed
USER node
CMD ["node", "server.js"]Unnecessary packages:
# Vulnerable
RUN apk add curl wget git vim
# Fixed
RUN apk add --no-cache curlScanning Tools Comparison
Docker Scan:
- Built into Docker
- Uses Snyk backend
- Easy to use
- Limited free scans
Trivy:
- Open source
- Fast and accurate
- Multiple output formats
- CI/CD friendly
Grype:
- Open source
- Very fast
- Good accuracy
- Simple CLI
Snyk:
- Commercial (free tier)
- Detailed reports
- Fix recommendations
- IDE integration
Advanced
For production deployments:
- Implement image signing
- Use admission controllers
- Set up continuous scanning
- Monitor runtime security
- Implement security policies
Install
npx skillscat add armanzeroeight/fastagent-plugins/image-security-scanner Install via the SkillsCat registry.