SlideShare a Scribd company logo

Docker Security Scanning (Docker Austin Meetup on 5/17)

Docker, Inc.
Docker, Inc.

from Ben Grissinger's talk on May 17 at Docker Austin meetup: http://www.meetup.com/Docker-Austin/events/231090935/

Technology
1 of 7
Download to read offline
Docker Security Scanning Project formerly known as Nautilus
Nautilus backstory courtesy of crate.io blogpost Docker named its security project originally after the Nautilus, an old marine mollusk that lives in a spiral shell. It has up to ninety tentacles probing its environment. The shell comprises of a sequence of confined chambers that relate to the layered components of a Docker image. Yes, we are that deep.
What Is Docker Security Scanning (formerly known as Project Nautilus)? ● Image scanning and vulnerability detection ○ Binary Vulnerability Scanner ■ Upload your image, we do binary scanning of all components ● A lot more than just a dpkg -l joined to a CVE database ● Finds all statically-linked libraries ■ Show all the vulnerabilities in each component ■ Handles backports - CVE 2016-abc-123 is backported to glibc 2.19-18+deb8u4 ■ Licensing information ■ Covers all major Linux distros, and Windows ● Continued Vulnerability Monitoring ○ Notifications of newly discovered vulnerabilities ○ Find all affected repo owners, send them email ○ Prevents people from canceling since new vulns are always coming ■ Last week was “patch Tuesday” every day, for example
How Security Scanning Works Scanner CVE Scanning validation service Docker Security Scanning Scan Trigger Plugin Framework CVE Databases NIST, MitreDatabaseBOM Notifications Push image Docker Cloud Private repos Signer Notary Notifications Processor Codenomicon Official Images
Remediation Strategies ● Move to a cleaner base ○ For example Alpine is a much smaller footprint and has a lot less vulnerabilities ○ Sometimes a similar base layer may be cleaner ■ For a while, debian:jessie was cleaner than ubuntu ● Upgrade your components if they have been patched ○ openssl, openssh, libgc, imagemagick, have all been fixed last week ● Use Official Images ○ Docker works with upstream publishers to resolve all known vulnerabilities
Future Features ● Integration with DTR (on prem repos) ● Build pipelines ○ Pass scans with some threshold of CVEs, then sign, then push somewhere else ○ Become part of bigger rule-based security pipeline ○ Add a test for license compliance - ie no GPL in proprietary code ● Suggest which updated component version to use ○ We may have scanned a different version that is cleaner ● Hooks to build/deploy images when some CVE is fixed ○ New CVE discovered ○ Upstream library is fixed ○ Scan passes, CVE is fixed ○ Build a new image and deploy
Basic Questions 1. Support for orgs? - Generally available with Docker Cloud supported orgs - Testing workarounds to support orgs in process 2. Public Repos? - Will have free scanning of public repos eventually, within a few months +/- 3. Which CVE databases do we work with? - All the major ones: NIST NVD, Mitre, others - Read from major distribution advisories for CVE backports 4. Does it support Windows? - Not as well as Linux, but yes it does 5. Can I have it on my repos? - Soon !

Recommended

OSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and WindowsOSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and WindowsDocker, Inc.
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Intro to Docker Swarm
Intro to Docker SwarmIntro to Docker Swarm
Intro to Docker SwarmEverett Toews
 
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...Docker, Inc.
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionDocker, Inc.
 
OSCON: System software goes weird
OSCON: System software goes weirdOSCON: System software goes weird
OSCON: System software goes weirdDocker, Inc.
 
OSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingOSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingDocker, Inc.
 
Docker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewDocker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewBanjot Chanana
 

Recommended

OSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and WindowsOSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and WindowsDocker, Inc.
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Intro to Docker Swarm
Intro to Docker SwarmIntro to Docker Swarm
Intro to Docker SwarmEverett Toews
 
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...Docker, Inc.
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionDocker, Inc.
 
OSCON: System software goes weird
OSCON: System software goes weirdOSCON: System software goes weird
OSCON: System software goes weirdDocker, Inc.
 
OSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingOSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingDocker, Inc.
 
Docker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewDocker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewBanjot Chanana
 
Docker
DockerDocker
DockerVitaly Tsaplin
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on WindowsStefan Scherer
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesMike Splain
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetescraigbox
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm UpdatedDocker, Inc.
 
Docker Links
Docker LinksDocker Links
Docker LinksDocker, Inc.
 
Deploying Containers and Managing Them
Deploying Containers and Managing ThemDeploying Containers and Managing Them
Deploying Containers and Managing ThemDocker, Inc.
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker, Inc.
 
Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Docker, Inc.
 
DockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker ImageDockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker ImageDocker, Inc.
 
Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane Docker, Inc.
 
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...Docker, Inc.
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDocker, Inc.
 
OpenStack Boston
OpenStack BostonOpenStack Boston
OpenStack BostonDocker, Inc.
 
DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?Docker, Inc.
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersDocker, Inc.
 
Open source is good for both business and humanity
Open source is good for both business and humanityOpen source is good for both business and humanity
Open source is good for both business and humanityDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 

More Related Content

Viewers also liked

Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesMike Splain
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetescraigbox
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm UpdatedDocker, Inc.
 
Deploying Containers and Managing Them
Deploying Containers and Managing ThemDeploying Containers and Managing Them
Deploying Containers and Managing ThemDocker, Inc.
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker, Inc.
 
Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Docker, Inc.
 
DockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker ImageDockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker ImageDocker, Inc.
 
Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane Docker, Inc.
 
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...Docker, Inc.
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDocker, Inc.
 
DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?Docker, Inc.
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersDocker, Inc.
 
Open source is good for both business and humanity
Open source is good for both business and humanityOpen source is good for both business and humanity
Open source is good for both business and humanityDocker, Inc.
 

Viewers also liked (19)

Docker
DockerDocker
Docker
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on Windows
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of Kubernetes
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server Containers
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm Updated
 
Docker Links
Docker LinksDocker Links
Docker Links
 
Deploying Containers and Managing Them
Deploying Containers and Managing ThemDeploying Containers and Managing Them
Deploying Containers and Managing Them
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
 
Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...
 
DockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker ImageDockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon SF 2015: Maintaining the Official Node.js Docker Image
 
Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane Monitoring Containers at New Relic by Sean Kane
Monitoring Containers at New Relic by Sean Kane
 
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
DockerCon EU 2015: Finding a Theory of the Universe with Docker and Volunteer...
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
 
OpenStack Boston
OpenStack BostonOpenStack Boston
OpenStack Boston
 
DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?DockerCon EU 2015: What is it we want in containers anyway?
DockerCon EU 2015: What is it we want in containers anyway?
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
 
Open source is good for both business and humanity
Open source is good for both business and humanityOpen source is good for both business and humanity
Open source is good for both business and humanity
 

More from Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices WorldDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with DockerDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDocker, Inc.
 

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

Recently uploaded

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Docker Security Scanning (Docker Austin Meetup on 5/17)

  • 1. Docker Security Scanning Project formerly known as Nautilus
  • 2. Nautilus backstory courtesy of crate.io blogpost Docker named its security project originally after the Nautilus, an old marine mollusk that lives in a spiral shell. It has up to ninety tentacles probing its environment. The shell comprises of a sequence of confined chambers that relate to the layered components of a Docker image. Yes, we are that deep.
  • 3. What Is Docker Security Scanning (formerly known as Project Nautilus)? ● Image scanning and vulnerability detection ○ Binary Vulnerability Scanner ■ Upload your image, we do binary scanning of all components ● A lot more than just a dpkg -l joined to a CVE database ● Finds all statically-linked libraries ■ Show all the vulnerabilities in each component ■ Handles backports - CVE 2016-abc-123 is backported to glibc 2.19-18+deb8u4 ■ Licensing information ■ Covers all major Linux distros, and Windows ● Continued Vulnerability Monitoring ○ Notifications of newly discovered vulnerabilities ○ Find all affected repo owners, send them email ○ Prevents people from canceling since new vulns are always coming ■ Last week was “patch Tuesday” every day, for example
  • 4. How Security Scanning Works Scanner CVE Scanning validation service Docker Security Scanning Scan Trigger Plugin Framework CVE Databases NIST, MitreDatabaseBOM Notifications Push image Docker Cloud Private repos Signer Notary Notifications Processor Codenomicon Official Images
  • 5. Remediation Strategies ● Move to a cleaner base ○ For example Alpine is a much smaller footprint and has a lot less vulnerabilities ○ Sometimes a similar base layer may be cleaner ■ For a while, debian:jessie was cleaner than ubuntu ● Upgrade your components if they have been patched ○ openssl, openssh, libgc, imagemagick, have all been fixed last week ● Use Official Images ○ Docker works with upstream publishers to resolve all known vulnerabilities
  • 6. Future Features ● Integration with DTR (on prem repos) ● Build pipelines ○ Pass scans with some threshold of CVEs, then sign, then push somewhere else ○ Become part of bigger rule-based security pipeline ○ Add a test for license compliance - ie no GPL in proprietary code ● Suggest which updated component version to use ○ We may have scanned a different version that is cleaner ● Hooks to build/deploy images when some CVE is fixed ○ New CVE discovered ○ Upstream library is fixed ○ Scan passes, CVE is fixed ○ Build a new image and deploy
  • 7. Basic Questions 1. Support for orgs? - Generally available with Docker Cloud supported orgs - Testing workarounds to support orgs in process 2. Public Repos? - Will have free scanning of public repos eventually, within a few months +/- 3. Which CVE databases do we work with? - All the major ones: NIST NVD, Mitre, others - Read from major distribution advisories for CVE backports 4. Does it support Windows? - Not as well as Linux, but yes it does 5. Can I have it on my repos? - Soon !