Docker Security ScanningProject formerly known as Nautilus

Nautilus backstory courtesy of crate.io blogpost

Docker named its security project originally after the Nautilus, an old marine mollusk that lives in a spiral shell. It has up to ninety tentacles probing its environment. The shell comprises of a sequence of confined chambers that relate to the layered components of a Docker image.

Yes, we are that deep.

What Is Docker Security Scanning (formerly known as Project Nautilus)?● Image scanning and vulnerability detection

○ Binary Vulnerability Scanner■ Upload your image, we do binary scanning of all components

● A lot more than just a dpkg -l joined to a CVE database● Finds all statically-linked libraries

■ Show all the vulnerabilities in each component■ Handles backports - CVE 2016-abc-123 is backported to glibc 2.19-18+deb8u4■ Licensing information■ Covers all major Linux distros, and Windows

● Continued Vulnerability Monitoring ○ Notifications of newly discovered vulnerabilities○ Find all affected repo owners, send them email ○ Prevents people from canceling since new vulns are always coming

■ Last week was “patch Tuesday” every day, for example

How Security Scanning Works

API

ScannerCVE

Scanningvalidation

service

Docker Security Scanning

Scan Trigger

Plugin Fram

ework CVE

DatabasesNIST, MitreDatabase BOM

Notifications

Push image

Docker CloudPrivate repos

Signer

Notary

Notifications Processor

Codenomicon

Official Images

Remediation Strategies● Move to a cleaner base

○ For example Alpine is a much smaller footprint and has a lot less vulnerabilities

○ Sometimes a similar base layer may be cleaner

■ For a while, debian:jessie was cleaner than ubuntu

● Upgrade your components if they have been patched

○ openssl, openssh, libgc, imagemagick, have all been fixed last week

● Use Official Images

○ Docker works with upstream publishers to resolve all known vulnerabilities

Future Features● Integration with DTR (on prem repos)

● Build pipelines

○ Pass scans with some threshold of CVEs, then sign, then push somewhere else○ Become part of bigger rule-based security pipeline○ Add a test for license compliance - ie no GPL in proprietary code

● Suggest which updated component version to use

○ We may have scanned a different version that is cleaner

● Hooks to build/deploy images when some CVE is fixed

○ New CVE discovered○ Upstream library is fixed○ Scan passes, CVE is fixed○ Build a new image and deploy

Basic Questions1. Support for orgs?

- Generally available with Docker Cloud supported orgs

- Testing workarounds to support orgs in process

2. Public Repos?

- Will have free scanning of public repos eventually, within a few months +/-

3. Which CVE databases do we work with?

- All the major ones: NIST NVD, Mitre, others

- Read from major distribution advisories for CVE backports

4. Does it support Windows?

- Not as well as Linux, but yes it does

5. Can I have it on my repos?

- Soon !