Scanning Docker images for key binaries – going beyond package managers

Liron Snyk
February 7, 2019 | in Product
| By Liron Lifshitz-Yadin

We’re happy to share that we’ve just extended our Docker scans to now include scanning key binaries that were manually installed on the Docker image.

Up until now, we only scanned OS packages that were installed by OS package managers such as dpkg, apk or rpm.

Now we have also extended our support to scan key binaries that were installed by downloading files and manual installations. With this additional scan, when your Docker images contain unmanaged installed binaries, we make sure you’re still protected.

For now, we detect vulnerabilities for Node.js and the Java Runtime Environment, but more will follow soon.

As Snyk always focuses on ensuring our database offers the most comprehensive vulnerability data available, we’ve now extended our Vulnerability database to maintain unmanaged installed binaries as well. This data is collected from several sources including relevant security advisories.

For each vulnerability, Snyk also offers information regarding available remediation for these binary vulnerabilities.

The following image offers an example of the CLI test output, including the newest binary scan results:

 

Along with the package managers scan results, the key binary vulnerabilities will now also appear in the Snyk UI when monitoring a Docker project (as in the following image), and you’ll be able to easily filter these by type.

 

To scan with these new enhanced capabilities, make sure you’ve upgraded to the latest CLI version and you’re all set.

If a supported key binary was installed manually we’ll automatically report the detected vulnerabilities for the specific version.

Stay tuned for more enhancements in this area!

For more information about our Container Vulnerability Management solution and instructions for getting started, please read our Documentation.