How to scan a docker image?¶
There are couple of ways to scan a docker image using cve-bin-tool
.
You can scan a docker image by installing and running
cve-bin-tool
inside a docker container.You can export the directory on host and scan it on host.
We are going to scan /usr/bin
directory of ubuntu:latest docker image for
demonstration purpose but you can use same recipe to scan directory of your
interest.
Install and run CVE Binary Tool inside container¶
Let’s first create a docker instance of the image we want to scan using following command:
docker run -it -d --name cve_scan ubuntu --entrypoint bash
This will create new instance of ubuntu image and run it in the background. You
can check if your container is running or not using docker ps
.
Note: you may need to use sudo if current user isn’t in the docker group.
Now let’s go inside the container using the docker exec command and install python in it.
docker exec -it cve_scan bash
In this example we have defined container name as cve_scan
. You will get a random
name if you have not defined while running the container initially.
Update the container and install python3
on it.
apt-get update
apt-get install python3
apt-get install python3-pip
Note: this step is distro specific if your container is based on different distro (Ex: centos) checkout official documentation of that specific distro for installing
python3
in it.
Now let’s install cve-bin-tool
in our container.
pip3 install cve-bin-tool
This will install latest version of cve-bin-tool
from PyPI.
You can also install latest development version from our github repository using following command
pip3 install git+https://github.com/intel/cve-bin-tool
After all the things done check the version of cve-bin-tool
using the command.
cve-bin-tool -V
If there is output then You have installed cve-bin-tool
successfully in the
docker container.
Now let’s scan /usr/bin
directory and export report to the host using following
command.
cve-bin-tool /usr/bin -f csv -o usr_bin_cve.csv
This will take sometime and after generation of the report, you have to export it
to the host. You first need to exit current docker session by typing exit
in
the container terminal. Now let’s copy report from container to the host.
docker cp cve_scan:~/usr_bin_cve.csv ~/Documents/usr_bin_cve.csv
This will save CVE report of scanned docker directory in the
~/Documents/usr_bin_cve.csv
.
Export directory from container and scan¶
Assuming, you already have created docker instance named cve_scan
as mentioned
above. You can export directory you want to scan to the host and scan there.
docker cp cve_scan:/usr/bin/ ~/scan
This will copy all files and directories from /usr/bin
to /scan
and now you
can scan scan
directory with cve-bin-tool
normally.
Note: You may want to use
docker cp -a
if you want to copy all uid/gid info.
cve-bin-tool scan [OPTIONS]
Note: This method assumes you already have installed cve-bin-tool on host. If you haven’t install it with
pip3 install cve-bin-tool
.
Both of the above mentioned methods will help you scan a docker image and you can
choose one over another. Second method is comparatively easier than first but has
overhead of copying all data from container to host while first method requires
you to install cve-bin-tool
in docker container which can take around 10 minutes.
You can automate both processes with simple bash
script.