Dockerdevops~5 mins

Scanning images for vulnerabilities in Docker - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you use software containers, sometimes they can have security problems hidden inside. Scanning images for vulnerabilities helps find these problems before you run the containers, keeping your system safe.

Before deploying a new version of your app to make sure it has no known security issues.

When you pull a container image from the internet and want to check it is safe.

Regularly scanning your images to catch new vulnerabilities found after you built them.

Before sharing your container images with others to ensure they are secure.

When you want to comply with security rules that require vulnerability checks.

Commands

This command scans the official nginx image version 1.23 for known security vulnerabilities using Docker's built-in scanning tool.

Terminal

docker scan nginx:1.23

Expected OutputExpected

Testing nginx:1.23 Organization: docker-library Package manager: apk Project name: nginx Project version: 1.23 ✓ Tested 50 dependencies for known issues, no vulnerable paths found. For more information, visit https://docs.docker.com/scan/

Scan your own built image named my-app with the latest tag to find vulnerabilities before deployment.

Terminal

docker scan my-app:latest

Expected OutputExpected

Testing my-app:latest Organization: my-org Package manager: deb Project name: my-app Project version: latest ✗ 2 vulnerabilities found Severity: High Description: CVE-2023-12345 in openssl More info: https://security-tracker.example.com/CVE-2023-12345 Severity: Medium Description: CVE-2022-67890 in curl More info: https://security-tracker.example.com/CVE-2022-67890 Run 'docker scan --json my-app:latest' for detailed output.

Run the scan again but output the results in JSON format for easier automated processing or reporting.

Terminal

docker scan --json my-app:latest

Expected OutputExpected

{ "vulnerabilities": [ { "id": "CVE-2023-12345", "severity": "High", "package": "openssl", "description": "Buffer overflow vulnerability", "link": "https://security-tracker.example.com/CVE-2023-12345" }, { "id": "CVE-2022-67890", "severity": "Medium", "package": "curl", "description": "Information disclosure", "link": "https://security-tracker.example.com/CVE-2022-67890" } ] }

→

--json - Outputs the scan results in JSON format for easier parsing.

Key Concept

If you remember nothing else from this pattern, remember: scanning container images before use helps catch security problems early and keeps your systems safe.

Common Mistakes

Running docker scan on an image that does not exist locally or remotely.

The scan will fail because Docker cannot find the image to analyze.

Make sure the image is built locally or pulled from a registry before scanning.

Ignoring scan results that show vulnerabilities.

This leaves your system exposed to known security risks that could be exploited.

Review vulnerabilities carefully and update or fix the image before deployment.

Using outdated Docker versions that do not support the docker scan command.

The scan command will not work or may produce errors.

Use Docker version 20.10 or later where docker scan is supported.

Summary

Use 'docker scan IMAGE_NAME' to check container images for known security vulnerabilities.

Review the scan output carefully and fix any found issues before deploying containers.

Use the '--json' flag to get machine-readable scan results for automation or reporting.