Skip to content

dockersamples/scout-demo-service

 
 

Repository files navigation

Docker Scout demo service

A repository containing an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image. The application consists of a basic ExpressJS server and uses an intentionally old version of Express and Alpine base image.

Table of Contents

Getting Started

1. Inner-Loop (using Docker Desktop)

  • Install the latest version of Scout CLI
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh

If you're using Docker Desktop, you can enable background SBOM indexing as shown:

image

Clone the repo

 git clone https://github.com/dockersamples/scout-demo-service
 cd scout-demo-service

Build the image, naming it to match the organization you will push it to, and tag it as “v1”:

docker build -t scout-demo:v1 .
docker run scout-demo:v1

Access the app:

curl localhost:3000
Hello World!

If you're using Docker Desktop, you should be able to see vulnerabilities right now on your Docker dashboard.

image

There are 2 major vulnerabilties reported - the first one is related to OpenSSL package and other one is with Express 4.17.3. It says that Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. That means we need to update our Express v4.17.3 to 4.19.2

Updated - 10 Aug: The OpenSSL vulnerability has already been fixed. Only Express-specific vulnerabilities are medium severity.

image

Alternatively, you can see the list of vulnerabilities locally using your terminal.

  docker scout cves scout-demo:v1

Fix application vulnerabilities

The fix suggested by Docker Scout is to update the underlying vulnerable express version to 4.17.3 or later.

Update the package.json file with the new package version.

…
"dependencies": {
     "express": "4.19.2"
     …
}
docker build -t scout-demo:v2 .
image

You will find that express vulnerabilities are now fixed.

image

You will see that the OpenSSL vulnerability is still there. To fix this, open up your Dockerfile and add openssl as shown below:

RUN apk add --no-cache \
  nodejs \
  openssl 

Try re-building the Docker image with v3.0 this time:

docker build -t scout-demo:v3 .

This time, you will find all the vulnerabilities are fixed.

image

2. Using Docker Hub

Create and push the Docker image to the Docker Hub repository

 docker push <org-name>/scout-demo:v1

Alternatively, you can use Docker Dashboard directly to to push your Docker image to the Docker Hub.

image

Enable Docker Scout

You can enable Docker image analysis right on your Docker Hub repositories - either through CLI or directly using Docker Hub Dashboard.

image

Docker Scout analyzes all local images by default. To analyze images in remote repositories, you need to enable it first. You can do this from Docker Hub, the Docker Scout Dashboard, and CLI. Find out how in the overview guide.

Use the Docker CLI docker scout repo enable command to enable analysis on an existing repository with the following command:

 docker scout repo enable <org-name>/scout-demo

For Example:

 docker scout repo enable <org-name>/scout-demo
    ✓ Enabled Docker Scout on <org-name>/lamp-for-collabnix
    ✓ Enabled Docker Scout on <org-name>/ol7-webdeliverer
    ✓ Enabled Docker Scout on <org-name>/puppet-for-docker
    ✓ Enabled Docker Scout on <org-name>/puppet4docker
    ✓ Enabled Docker Scout on <org-name>/scout-demo

Analyze image vulnerabilities

Click on the tag version to see the list of vulnerabilities:

image

You can see the similar kind of result as you see locally on your Docker Desktop.

image

After building, you can use Docker Desktop or the docker scout CLI command to see vulnerabilities detected by Docker Scout.

Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those.

  docker scout cves <org-name>/scout-demo:v1

Now you can follow the above instructions to fix it directly on Docker Desktop.

Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the Advisory Database sources document.

Integrating with GitHub Action

Clone this repo to your own account. Go to settings > Secrets and Variables > Actions and add DOCKER_PAT and DOCKER_USER.

image

Just modify the Docker Hub registry credentials and add the following secrets under GitHub:

  • DOCKER_USER: The username for the Docker registry.
  • DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.

Ensure that you have the following entries in your workflow modified:

          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

Run the GitHub Action job and you will see the following output once the job gets completed.

image

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Dockerfile 61.9%
  • JavaScript 38.1%