Docker Security Scanning helps root out container vulnerabilities

The newest addition to Docker Cloud flags vulnerabilities in containers before they ever make it into production

Docker has made generally available an addition to Docker Cloud that prevents known security vulnerabilities in software from entering a Docker-powered software supply chain.

Formerly known as Project Nautilus, Docker Security Scanning (DSS) is part of Docker's push to make its tool set a general software lifecycle solution.

Where Docker merely packaged applications able to run anywhere, it's now also making sure applications can be kept up-to-date and secure without breaking workflow.

Dev-created, Docker-approved containers

DSS's main feature is a content-scanning and vulnerability detection system applied to containers as they're uploaded to Docker Cloud repositories. The scan creates a "bill of materials" for each container, which is a breakdown of all identifiable third-party software components used. That in turn is matched against the CVE and NVD vulnerability databases to determine if any of the components has a known issue. (Docker claims the scans take only a few minutes to execute.)

One of the touted advantages of the bill-of-materials approach is that any future changes to a container can be cross-checked. The result is what Docker calls a "freshness guarantee" to ensure changes to a container don't reintroduce insecure versions of software.

DSS also integrates with preexisting Docker security technologies like Docker Bench, which is a system for checking a container to see if it's been assembled according to existing best practices, and Docker Content Trust, which is designed to ensure a container's contents are from who they say they are and haven't been tampered with.

For all that ails you

Docker may have started by addressing the containerization mechanism for applications, but it's now set to be a complete software lifecycle management solution.

DSS features go beyond deployment and orchestration; the app-containerization process can now automate numerous processes that used to be done manually, such as detecting known vulnerabilities or enforcing application security policies. Docker's stated goal with DSS is a system where the containerization process produces apps that ship as secure as possible by default. 

This means containerization is fast becoming a standard framework for handling many tasks with applications aside from deploying and running them. However it could come at the cost of depending wholly on Docker -- a complaint lodged against the company in the past, although Docker believes enterprises are fine with a single-vendor solution as long as it solves their problems. (This was the guiding philosophy behind Docker Datacenter.)

On a positive note, DSS already has competition. Twistlock, for instance, performs the same kind of security scanning offered by DSS. Its approach impressed Google enough that it ended up becoming Google Cloud Platform's methodology of choice for protecting containers.

Copyright © 2016 IDG Communications, Inc.