DEV Community

Cover image for Docker Scout for Your Kubernetes Cluster
Ajeet Singh Raina
Ajeet Singh Raina

Posted on • Originally published at collabnix.com

Docker Scout for Your Kubernetes Cluster

#docker #dockerscout #security #kubernetes

Docker Scout is a collection of secure software supply chain capabilities that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.

Docker Scout analyzes the contents of container images and generates a report of packages and vulnerabilities that it detects, helping users to identify and remediate issues. Docker Scout is available through multiple interfaces, including the Docker Desktop, Docker Hub user interfaces, as well as a web-based user interface (scout.docker.com) and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.

Click Here to access a curated List of Docker Scout Resources

How Docker Scout works?

Docker Scout uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation recommendations) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.

How is Docker Scout different from other security tools?

Scout ditches traditional scheduled scans for a modern event-driven model. If a new vulnerability affecting your images is announced, Scout shows your updated risk within seconds. It’s always alert, updating vulnerability info from 17+ sources in real time. This data is compared with your Software Bill of Materials for up-to-the-minute accuracy.

You can also add your internal advisories to the mix, ensuring a comprehensive view of your security. So, with Scout, you’ll always be a step ahead, swiftly spotting and fixing vulnerabilities without the wait.

What is Skout and what problem does it solve?

Skout is not an official product of Docker but a tool built by Docker Staff Engineer Felipe Cruz. With skout, you can get a bird's eye view of the number of Common Vulnerabilities and Exposures (CVEs) detected in the container images running on your Kubernetes cluster.

GitHub URL: https://github.com/felipecruz91/skout

It's highly recommended to have Docker Desktop 4.17 or higher as skout will be using the docker scout CLI plugin that is shipped with that version of Docker Desktop.

Getting Started

  • Install Docker Desktop 4.25.1

Image1

  • Enable Kubernetes Cluster

Image2

Installing Skout 

curl -LsO https://github.com/felipecruz91/skout/releases/download/0.0.3/skout_0.0.3_darwin_arm64.tar.gz tar -xvf skout_0.0.3_darwin_arm64.tar.gz sudo mv skout /usr/local/bin/skout
Enter fullscreen mode Exit fullscreen mode
  • Running Skout for the first time 
skout 2023/11/16 10:44:55 Docker Desktop version 4.25.1 is greater or equal than 4.17.0 2023/11/16 10:44:55 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images 2023/11/16 10:44:55 Analyzing a total of 8 images, this may take a few seconds... ┌─────────────┬────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┬──────────────────────────────────────┐ │ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │ ├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ kube-system │ coredns-5dd5756b68-bpjmm │ coredns (registry.k8s.io/coredns/coredns:v1.10.1) │ 2C 14H 10M 1L (27) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ coredns-5dd5756b68-hhvtg │ coredns (registry.k8s.io/coredns/coredns:v1.10.1) │ 2C 14H 10M 1L (27) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ etcd-docker-desktop │ etcd (registry.k8s.io/etcd:3.5.9-0) │ 0C 17H 13M 0L (30) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ kube-apiserver-docker-desktop │ kube-apiserver (registry.k8s.io/kube-apiserver:v1.28.2) │ 0C 6H 4M 0L (10) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ kube-controller-manager-docker-desktop │ kube-controller-manager (registry.k8s.io/kube-controller-manager:v1.28.2) │ 0C 6H 5M 0L (11) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ kube-proxy-q5xpg │ kube-proxy (registry.k8s.io/kube-proxy:v1.28.2) │ 0C 7H 9M 0L (16) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ kube-scheduler-docker-desktop │ kube-scheduler (registry.k8s.io/kube-scheduler:v1.28.2) │ 0C 6H 4M 0L (10) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ storage-provisioner │ storage-provisioner (docker/desktop-storage-provisioner:v2.0) │ 3C 50H 19M 1L (73) │ │ ├────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ vpnkit-controller │ vpnkit-controller (docker/desktop-vpnkit-controller:dc331cb22850be0cdd97c84a9cfecaf44a1afb6e) │ 0C 3H 7M 0L (10) │ ├─────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┤ │ │ │ TOTAL │ 7C 123H 81M 3L (214) │ └─────────────┴────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┴──────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

Scout Demo Service

To demonstrate Skout, let us pick up a Scout Sample app based on this repository. This repository holds an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image.

Clone the repository 

 git clone https://github.com/docker/scout-demo-service cd scout-demo-service docker build -t ajeetraina/docker-scout-demo:0.1
Enter fullscreen mode Exit fullscreen mode

The provided YAML manifests define a Kubernetes Namespace and a Deployment within that Namespace. Let's take a look:

--- apiVersion: v1 kind: Namespace metadata: name: ns2 --- apiVersion: apps/v1 kind: Deployment metadata: name: scout-demo-service-deployment namespace: ns2 spec: selector: matchLabels: app: scout-demo replicas: 1 template: metadata: labels: app: scout-demo spec: containers: - name: scout-demo image: ajeetraina/docker-scout-demo:0.1 ports: - containerPort: 3000
Enter fullscreen mode Exit fullscreen mode

Line 1-4:

This declares a Namespace named ns2. Namespaces provide a way to logically organize resources in a Kubernetes cluster. They allow you to isolate resources and control access to them.

Line 4 -24:

This defines a Deployment named scout-demo-service-deployment within the ns2 Namespace. A Deployment ensures that a specified number of Pod replicas are running at all times.

  • replicas: 1 indicates that there should always be one running Pod for this Deployment.
  • selector matches Pods with the label app: scout-demo, ensuring that the Deployment manages those Pods.

The Deployment's template defines the Pod spec:

  • image: ajeetraina/docker-scout-demo:0.1 specifies the Docker image to use for the Pod's container.
  • ports defines a port mapping for the container. In this case, the container's port 3000 will be exposed to the external port 3000.

When you apply these manifests, Kubernetes will create the Namespace ns2 and deploy a single Pod based on the scout-demo-service-deployment definition. The Pod will run the specified Docker image and expose port 3000.

Apply the Manifest 

 kubectl apply -f scout-demo.yaml
Enter fullscreen mode Exit fullscreen mode

Running Skout for Kubernetes Pod 

skout --namespace ns2 2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0 2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images 2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds... ┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐ │ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │ ├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤ │ ns2 │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │ 0C 0H 0M 0L (0) │ ├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤ │ │ │ TOTAL │ 0C 0H 0M 0L (0) │ └───────────┴───────────────────────────────────────────────┴───────────────────────────────────────────────┴─────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

It shows that the Docker Scout Demo service has high vulnerabilities.

Fixing the Vulnerabilities

Let's fix the vulnerabilities by changing the express version in package.json file from:

"dependencies": { "express": "4.17.1"
Enter fullscreen mode Exit fullscreen mode

to

"dependencies": { "express": "4.17.3"
Enter fullscreen mode Exit fullscreen mode

and then re-building the Docker image. I have already built and named this new Docker image as ajeetraina/docker-scout-demo:1.0.

The new YAML file look like:

--- apiVersion: v1 kind: Namespace metadata: name: ns2 --- apiVersion: apps/v1 kind: Deployment metadata: name: scout-demo-service-deployment namespace: ns2 spec: selector: matchLabels: app: scout-demo replicas: 1 template: metadata: labels: app: scout-demo spec: containers: - name: scout-demo image: ajeetraina/docker-scout-demo:1.0 ports: - containerPort: 3000
Enter fullscreen mode Exit fullscreen mode

Apply the Manifest 

 kubectl apply -f scout-demo.yaml
Enter fullscreen mode Exit fullscreen mode

Running Skout for Kubernetes Pod 

skout --namespace ns2 2023/11/16 11:21:16 Docker Desktop version 4.25.1 is greater or equal than 4.17.0 2023/11/16 11:21:16 Will be using the docker scout CLI plugin that is shipped with Docker Desktop to analyze images 2023/11/16 11:21:16 Analyzing a total of 1 images, this may take a few seconds... ┌───────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────┐ │ NAMESPACE │ POD │ CONTAINER (IMAGE) │ VULNERABILITIES │ ├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤ │ ns2 │ scout-demo-service-deployment-f4647b874-96qgd │ scout-demo (ajeetraina/docker-scout-demo:1.0) │ 0C 0H 0M 0L (0) │ ├───────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────┤ │ │ │ TOTAL │ 0C 0H 0M 0L (0) │
Enter fullscreen mode Exit fullscreen mode

Resources

Top comments (0)