How to scan a docker image?

There are couple of ways to scan a docker image using cve-bin-tool.

  1. You can scan a docker image by installing and running cve-bin-tool inside a docker container.

  2. You can export the directory on host and scan it on host.

We are going to scan /usr/bin directory of ubuntu:latest docker image for demonstration purpose but you can use same recipe to scan directory of your interest.

Install and run CVE Binary Tool inside container

Let’s first create a docker instance of the image we want to scan using following command:

docker run -it -d --name cve_scan ubuntu  --entrypoint bash 

This will create new instance of ubuntu image and run it in the background. You can check if your container is running or not using docker ps.

Note: you may need to use sudo if current user isn’t in the docker group.

Now let’s go inside the container using the docker exec command and install python in it.

docker exec -it cve_scan bash

In this example we have defined container name as cve_scan. You will get a random name if you have not defined while running the container initially.

Update the container and install python3 on it.

apt-get update
apt-get install python3
apt-get install python3-pip

Note: this step is distro specific if your container is based on different distro (Ex: centos) checkout official documentation of that specific distro for installing python3 in it.

Now let’s install cve-bin-tool in our container.

pip3 install cve-bin-tool

This will install latest version of cve-bin-tool from PyPI.

You can also install latest development version from our github repository using following command

pip3 install git+https://github.com/intel/cve-bin-tool

After all the things done check the version of cve-bin-tool using the command.

cve-bin-tool -V

If there is output then You have installed cve-bin-tool successfully in the docker container.

Now let’s scan /usr/bin directory and export report to the host using following command.

cve-bin-tool /usr/bin -f csv -o usr_bin_cve.csv

This will take sometime and after generation of the report, you have to export it to the host. You first need to exit current docker session by typing exit in the container terminal. Now let’s copy report from container to the host.

docker cp cve_scan:~/usr_bin_cve.csv ~/Documents/usr_bin_cve.csv

This will save CVE report of scanned docker directory in the ~/Documents/usr_bin_cve.csv.

Export directory from container and scan

Assuming, you already have created docker instance named cve_scan as mentioned above. You can export directory you want to scan to the host and scan there.

docker cp cve_scan:/usr/bin/ ~/scan

This will copy all files and directories from /usr/bin to /scan and now you can scan scan directory with cve-bin-tool normally.

Note: You may want to use docker cp -a if you want to copy all uid/gid info.

cve-bin-tool scan [OPTIONS]

Note: This method assumes you already have installed cve-bin-tool on host. If you haven’t install it with pip3 install cve-bin-tool.

Both of the above mentioned methods will help you scan a docker image and you can choose one over another. Second method is comparatively easier than first but has overhead of copying all data from container to host while first method requires you to install cve-bin-tool in docker container which can take around 10 minutes. You can automate both processes with simple bash script.