DEVOPSdigest

Docker announced the general availability of Docker Security Scanning, an opt-in service for Docker Cloud private repo plans that provides a security assessment of the software included in container images.

Docker Security Scanning enables detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security across the entire software supply chain. Docker Security Scanning provides binary level scanning, generating a detailed security profile for each Docker image, including details that allow IT operations to assess if the software meets its security compliance standards. The service works seamlessly with existing dev and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment.

Docker Security Scanning works across any application and across all major Linux distributions which allow for integration into a Containers as a Service (CaaS) workflow that improves an organization’s security posture through central IT managed secure content. Also released as part of this security enhancement is an update to Docker Bench, which automates validating a host’s configuration against the CIS Benchmark recommendations. With this update, Docker users can implement recommendations from the latest CIS Docker Benchmark to ensure that their platform is configured to be in-line with the best practices outlined for Docker Engine 1.11.

"We’ve made it our goal to secure the global software supply chain from development, test to production,” said Nathan McCauley, Director of Security at Docker. “As with all of Docker’s tooling, Docker Security Scanning works as an integrated component without any disruption to developer productivity. In fact, Docker Security Scanning enables developers to accelerate their workflows while providing greater visibility into the Docker images they choose to run in their environment. In turn, with usable security capabilities and granular control, IT operations is able to flexibly configure the security policies needed to safeguard their infrastructure."

Docker image scanning and vulnerability detection provide a container-optimized capability for granular auditing of images. The results are presented in a Bill of Materials (BOM) containing the details of the image layers and components, along with the security profile of each component. This allows ISVs (Independent Software Vendors) and app teams to make informed decisions regarding that content based on their respective security policies. With this information, ISVs can actively fix vulnerabilities to maintain high-quality security profiles of their content that they can then transparently expose to their end users. Meanwhile, app teams can decide if they want to use an ISV image based on the displayed profile and flexibly use Security Scanning to check the additional code before deciding to deploy.

In addition to improving the integrity of container content, Security Scanning streamlines ongoing operations by automating the cumbersome aspects of maintaining software compliance. Previously, IT operations would have to rely on the information published by each ISV on the state of their content to the CVE (Common Vulnerability and Exposures) databases and have to manually monitor the CVE databases for any issues. Docker Security Scanning automates this process and notifies the organization when a CVE is reported for any component within the images, enabling IT to address the issue quickly. With Docker, ISVs will have an opportunity to market their up-to-date secure content, with thorough details on what’s inside the container image, to a user community that is pulling 4,000 containers a minute.

Docker Security Scanning is available today to Docker Cloud users with a private repo plan, expanding to include all Docker Cloud repo users by the end of Q3.

Docker Security Scanning will also be available as an integrated feature in Docker Datacenter during the second half of 2016.