Top 9 Open-Source Docker Image Scanners to Try in 2022

Learn about the importance of using a Doker image scanner and discover the top 9 tools that are worth trying in 2022.

Roman Myronov

11/25/2021 6 min read

Since the release in 2013, Docker container technology, with its system-level virtualization, has captured the hearts and minds of application developers around the world. Docker’s popularity owes much to the fact that it significantly reduces the time needed to prepare the runtime environment for your apps. Thus you can develop, test, and deploy apps and associated services much faster. Containers are lightweight and, more importantly, their software environment is decoupled from the host operating system. This allows the bundled application to run anywhere – on your laptop, in the local data center, or in the cloud.

So far so good. But wait a minute! Cybercriminals are raising their stakes and developing sophisticated tactics to hack helpless businesses. Malicious content in Docker repositories, very often disguised as images, are among the latest tactics employed by cybercriminals to infect legitimate downstream apps. Cybercriminals utilize images for various open-source implementations and open-source programming languages. This malicious tactic has a net effect. This means that all your apps, hotfixes, and patches can face the risk of supply chain attacks at any stage of their development or maintenance.

Importance of Using Docker Image Scanners

Docker images that contain software with security vulnerabilities are particularly vulnerable during the application runtime. Thus, you need to regularly run them through Docker image scanners for security purposes. Container image scanning involves parsing through multiple layers to spot known vulnerabilities early on and report them to the developers. Image scanning also identifies security issues in your app development process.

Malware scanning of container images should happen at multiple stages of the software development including app Building, Testing, and Deploying. This helps collect critical security information about Docker images, which is then matched against a database of known vulnerabilities. Otherwise, you may face a risk of these malicious images ending up in the container registry. The scanning activity is done on every single push to your container registry. This measure, coupled with the scanning of new images uploaded to the container registry, will help ensure maximum security and integrity of your registry. Overall, accurate scanning and reporting of detected vulnerabilities will help developers patch security flaws before they are too far into the pipeline. Furthermore, it will allow the development team to deliver secure and robust apps/updates to their intended users.

While there are plenty of open-source vulnerability scanning tools for Docker images, these are some of the most popular ones among the enterprise development teams:

#1 Anchore Engine

This open-source Docker image scanner evaluates and certifies images from container registries compatible with Docker Registry HTTP API V2. The tool works in standalone mode or runs from a container orchestration setup (e.g., Kubernetes) in order to download container images from the registry. Anchore Engine scans vulnerabilities against a user-defined checklist and reports in detail on multiple aspects of the container image. So, with Anchore, you have a centralized system for scanning and certifying all of your container images. The Anchore Engine comes with the REST API and command-line interface. This means you will have hassle-free access to scanned images and registries. Apart from defining policies, Anchore also allows you to specify exceptional scenarios where you want the tool to ignore a policy/rule. There is also an intuitive UI/UX design and various dashboard reports, thus you will have a high-quality user experience.

#2 Trivy

Trivy is a simple yet thorough container image security scanner backed by the vast amount of information from the National Vulnerability Database (NVD) Red Hat, and Debian GNU/Linux distribution. Trivy inspects your Docker file’s parent image for known vulnerabilities that your containers are likely to inherit. The tool’s vulnerability database gets incrementally updated every 12 hours. What’s more, the scanner works well with your prevailing software delivery practices. Trivy is available under an Apache Foundation license that allows royalty-free usage and distribution. It also happens to be the default scanner in the Harbor container registry project and Mirantis Docker container platform.

#3 OpenSCAP

OpenSCAP toolkit compares the targeted container image with an open-security standard, namely Security Content Automation Protocol, to declare compliance or non-compliance. After scanning an image pulled from the Docker repository, the tool publishes results to the Jenkins dashboard in a structured format. OpenSCAP doesn’t limit its scanning to your container images; it is capable of assessing vulnerabilities in your physical as well as virtual systems. OpenSCAP has a simple user interface (OSCAP Docker) that can be used in Docker environments to scan both running and static Docker images. It performs the scan in much the same way that it scans local machines.

#4 Clair

This API-driven open-source tool performs static analysis for several known vulnerabilities in Docker as well as containers that are compliant with open standards for OS-level virtualization. By doing so, Clair eliminates the need to actually run your container. The tool carries out a layer-by-layer inspection of your container to uncover and report security issues using common vulnerabilities and exposures as its reference point.

What’s more, Clair leverages RedHat, Ubuntu, and Debian databases. It is also capable of indexing, scanning, and rebuilding images in order to incorporate security fixes. By using Clair as the base, you can build add-on features for continuous security monitoring of your containers.

#5 Dockscan

Dockscan is a security vulnerability and audit scanner for your Docker installations and containers. The open-source tool, developed in simple Ruby script, is capable of performing vulnerability checks on both local and remote installations, as well as in running containers. It follows a plugin-based system for the discovery and audit of security issues. Some common security pain points include misconfiguration of container resource limits and scenarios in which containers create too many processes or send data directly using the Docker host’s gateway and ports. The tool generates reports in HTML format. Dockscan can be easily installed using Dockscan “Gem” and invoked with the “dockscan” command.

#6 Dagda

Coded in Python, Dagda is an open-source tool for static analysis of various vulnerabilities, malware, and threats in your Docker images and containers. The tool retrieves information about OS packages, dependencies, modules, and other files contained in the Docker images. These are then run past a database that documents known security vulnerabilities from multiple sources (e.g., NVD, SecurityFocus BID, and Exploit-DB). In addition, Dagda uses ClamAV, an open-source antivirus engine, for detecting trojans, viruses, and other malware that can be potentially planted within the docker images or containers.

#7 Dockle

This is a user-friendly container image linter designed to enhance the security configuration of Docker containers and ensure their compliance with cybersecurity best practices. You just need to input the image name and the tool will proceed to detect vulnerabilities associated with it. Most notably, this diagnostic tool doesn’t store “secrets” in Docker files and makes a point to add health check instructions to the image. Dockle also removes permissions that privilege the file owner or the group of the file. The tool is especially suited for the continuous integration practice in software development, during which programmers merge code changes periodically into a centralized repository.

#8 Harbor

This open-source registry delivers scanning functionality for Docker images leveraging open-source tools like Trivy and Clair. Such static analysis of image-based vulnerabilities figures among the key security policies enforced by this trusted cloud-native registry. Harbor can be linked to more than one security scanner, each maintaining its own vulnerability database, which significantly broadens and strengthens the cybersecurity posture of your Docker environment. To use Trivy, you must enable it while installing your Harbor instance. The same goes for Clair or any other scanner. Alternatively, you can connect instances of any of these scanners to Harbor via its embedded interrogation service.

#9 Docker Scan

Docker now has the built-in vulnerability scanner called Docker Scan. From version 20.10 and onwards, the “scan” command is available by default. This means you can now scan images locally in Docker and identify potential security issues. Powered by a Snyk Engine, the tool allows you to scan an existing Docker image using its image name or ID. The image is checked in Synk’s database of known container vulnerabilities before the generation scan results. The flagged vulnerabilities will help the development team patch security issues and significantly improve the overall cybersecurity strength of the local Docker ecosystem. However, the security scanning feature doesn’t work with Alpine Linux distributions.

Conclusion

Due to multiple reasons, image security scanning is not the ultimate cure for all potential vulnerabilities that Docker images are prone to:

  • Such tools only check images for the publicly-known vulnerabilities and can’t detect the newly-developed ones that haven't been captured in any database yet.

  • Security issues that exist outside of a container environment or arise from orchestrator configuration are also beyond the scope of image scanning.

  • Image scanning doesn’t really help in cases when a Docker container is running as a “root.” (By the way, professionals don’t recommend running container processes with a root user as there's the risk of the privileged user breaking out of the process and compromising the host using administrative permissions.)

Regardless of all these limitations, Docker image scanners are considered to be an indispensable first line of defense against critical vulnerabilities affecting your containerized applications.

That’s all, dear readers. Signing off for now. Please, let me know what you think about Docker image scanners and what is your favorite tool.