Don't make the mistake of downloading (pulling) a Docker container without first doing this very important security check! So many Docker containers contain software that have CVEs (Common Vulnerabilities and Exposures). And don't create a Docker container without first making sure that the dependencies you use don't have CVEs. Make the world a more secure place by using Docker Scout. Big thanks to Docker for sponsoring this video! // Learn more here // Docker Scout: dockr.ly/4engpsI Docker www.docker.com/ // PDF // Docker Scout PDF: davidbombal.wiki/dockerscoutpdf // David's SOCIAL // Discord: discord.com/invite/usKSyzb X: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RU-vid: www.youtube.com/@davidbombal // MY STUFF // www.amazon.com/shop/davidbombal // MENU // 00:00 - Introduction 00:35 - Docker Scout Demo 04:58 - Key Takeaways 05:52 - Install Docker Desktop 06:16 - Download GIT 08:19 - Launch GIT BASH 09:00 - Open PowerShell 09:26 - Pull and Analyze the Container 10:15 - Advantages of Docker Scout 11:25 - Demo: Finding and Fixing Vulnerabilities 12:42 - Login to Docker Scout 13:44 - Enable Docker Scout 14:18 - Overview 16:15 - Docker Desktop 17:36 - Update Dockerfile 18:10 - Build and Push Updated Docker Container 18:51 - Fixing Vulnerabilities 20:14 - No Recommended Fixes 21:25 - Options for Discovering Vulnerabilities 22:26 - Fixed Vulnerabilities 23:39 - Further Fixes 25:42 - Achieving 100% Compliance 25:59 - The Power of Docker Scout 26:18 - Outro cve docker docker scout scout docker hub docker cve rust java jscript xss c python #docker #hack #docker
i've often said, just because it runs in a VM doesn't make it safe, when you download a container you are basically bringing a foreign system onto your network
If docker makes docker scout and then hosts docker images and knows how to fix them and they will work with the fixes and the don't just fix them.... Isn't this kinda like a profit model where they take a moral obligation and sell you the ability to do their job for them?
@@ckckck12Their selling you the scan not the fix. There are plenty of container scanning tools. Hell you don't even need docker for your containers. Its easy to update the packages containing the CVEs
The fundamental problem today is that container images have unnecessary binaries and libraries in the container. I deal with this every single day and then to make matters worse the licensing of those packages isn't being complied with (GPL). Trivy is better and then use Dive to actually analyze the layers if the image hasn't been squashed. The concept of least privilege needs to be applied to most minimalist packages in a base container OS.
You might want to disable ClearType when zooming in to UI elements containing text, I really hate the colour fringe that appears when the text does not align with my subpixels.
Great video. Docker and Docker Scout are great development tools; but nobody has created Zero Trust containers, yet. (Armored Gate is working on that.)
I really like this video as it shows how patient you need to be to understand and then to implement safeguards against CVE's. Linking this to an earlier video where @davidbombal interviewed someone from Cisco; recall eBPF. Apparmor and SELinux could also be leveraged in cases where the operator does not have the privileges to modify the software. My suggestion is more towards safeguarding or CUA till official patch from vendors arrive. Please let me know if there is any other way to proceed.
There are a few: Clair, Trivy, Anchor, Dragda, and Grype. I think Harbor also has some kind of CVE built-in checking, but it’s been ages last time I used it.
I'm not sure it's usefull: the point of using the original vendor image is to get something stable that has been tested by the vendor. If you're running a custom version, why would you upgrade their image instead of building a new one from scratch?
The vendors don't always follow best practices, and they can't release new images every day. Using SBOM to pick up vulnerabilities live without scanning it regularly makes so much sense.
If docker owns docker scout then they know which images are vulnerable. They have a moral obligation to deploy fixes and flaw prevention at their level.
Scout is a paid, closed-source product by Docker, IIRC. What about talking about open source alternatives like Clair, Trivy, Anchor, Dragda or Grype, to name a few?
What to do when absolutely all containers have CVE ? It's not possible to have clean containers when all the dependencies are vulnerables, and if you try to fix it, you're going to suffer a lot, just because people are crafting crappy containers and expects you to do their work