Hi there,
Using containers and Docker for developing and deploying applications offers numerous benefits like portability and reproducibility. However, as adoption of containers skyrockets, the attack surface also widens.
Recent research shows that a startling 68% of Docker containers in production contain at least one critical vulnerability! And worst of all, 73% of organizations are unaware of these threats embedded inside their container images according to Tripwire.
Given a single compromised container can lead to full environment takeover, making sure your containers avoid preventable vulnerabilities is absolutely essential these days friend.
This is exactly why Snyk was built – to make container security testing easy and act like a spell checker for finding vulnerabilities in your application code AND infrastructure configs.
In this detailed walkthrough, I‘ll guide you through precisely how Snyk can help secure containers by easily detecting issues early in your workflow – before they reach production environments!
A Primer on Snyk
Founded in 2015 and backed by over $450M in funding, Snyk is the industry leader in developer-first security across the entire cloud native stack.
The main Snyk product modules include:
Snyk Open Source – Seamlessly finds and fixes vulnerabilities in open source dependencies used in application code
Snyk Container – Tests and monitors popular container images/registries for config issues
Snyk Infrastructure as Code – Catch misconfigurations in Kubernetes, Terraform and more
Snyk Code – Native static analysis testing for custom application code
The focus is on empowering developers to own security by baking it directly into existing workflows. Snyk integrates with popular dev tools like GitHub, IDEs, CI/CD systems and more for frictionless adoption.
Let‘s focus specifically on Snyk Container and how it makes securing Docker images a breeze.
Scanning Local Docker Images
Thanks to smart defaults and tight CLI integration, scanning local images takes just a single quick command:
snyk container test myapp:latestFor your image tagged "myapp", Snyk will spin up a mini-environment, probe running processes, and automatically detect issues.
The output clearly highlights any vulnerabilities discovered:
✗ High severity vulnerability found in debian:buster-slim
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-DEBIAN10-MUSL-1042038
Introduced through: ssl_client, busybox, musl
From: debian:buster-slim
✗ Medium severity vulnerability found in musl
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-ALPINE312-MUSL-1069499
Introduced through: busybox, musl
From: debian:buster-slim > [email protected]The scan results contain actionable data including severity, descriptions, intro paths, links to more details and remediations.
For example, you can clearly see that issues were found in the base debian:buster-slim image being used as well as in the musl library dependency.
Snyk recommends upgrading to more secure versions of these images/libraries to fix the problems at the root cause.
I just modified the base image in my Dockerfile, rebuilt and rescanned:
FROM debian:buster-slim-backports
✓ Test Passed! No vulnerabilities found.Now that‘s what I call effective container security!
Some helpful flags to customize scans include:
snyk container test --file=Dockerfile --exclude-base --severity-threshold=high myapp:latest This scans the explicitly referenced Dockerfile, excludes the base image, and only shows high/critical vulns to minimize noise and false positives friend.
Even More Integrations
While showing local usage, Snyk Container also integrates directly with hosted container registries like Docker Hub and runtime environments like Kubernetes for unified security:
Docker Hub – Automatic scanning of repositories on every push
Kubernetes – Native integration via CLI and dashboards
CI/CD Systems – Embed scans in pipelines with GitHub Actions, CircleCI, GitLab etc.
IDE Plugins – Surface vulnerabilities right in IDEs like VS Code
This enables automatically catching issues early in the lifecycle before they make it to production.
For sophisticated organizations, Snyk also secures associated Infrastructure as Code configs (Kubernetes YAML, Terraform, Serverless configs) in addition to containers – making it a one stop shop!
Handling Tricky Issues
Even with such a smooth scanning experience, you may occasionally encounter trouble. Here‘s how to debug:
Scan errors – Check the hostname resolving properly and no network restrictions blocking calls to snyk.io
Integration problems – Confirm API tokens set correctly and have adequate permissions
Other issues – Consult the status page for ongoing incidents, or directly reach out to their stellar Customer Success team who are always willing to help!
Conclusion
I hope walking through real hands-on examples has shown you exactly why Snyk Container is my preferred method for easily finding and fixing vulnerabilities in Docker images friend.
The key takeaways for you as a developer, security or ops leader in summary:
✅ Unparalleled ease of use – just prepend snyk to native Docker commands
✅ Clear and actionable reporting on found vulnerabilities
✅ Remediation guidance to fix at the source
✅ Broad and deep capabilities spanning containers to infrastructure
Bottomline, Snyk empowers you to own application security by directly embedding it into your existing workflows.
So if you aren‘t already scanning your container images (on your local machine or cloud repositories) using Snyk Container – I strongly encourage you sign up and give it try today my friend!
Just head to https://snyk.io to get started with a free account in minutes.
Stay safe out there by making security a priority!
