- Print
- PDF
Scanning Docker container image security vulnerabilities
- Print
- PDF
Available in Classic and VPC
Container Registry of NAVER Cloud Platform provides a static analysis tool for scanning container image security vulnerabilities. You can configure it to automatically scan for vulnerabilities when manually scanning Docker container images stored in the registry of Container Registry or when uploading (pushing) Docker container images to the registry.
This feature is provided based on Clair, an open-source container vulnerability scanning tool developed by CoreOS. Once the Docker container image scan is complete, the Common Vulnerabilities and Exposures (CVE) list for known security vulnerabilities is provided. In the CVE list, you can check the versions of the package with known vulnerabilities and the versions in which these vulnerabilities are resolved.
How to scan for Docker container image security vulnerabilities
To scan and check for security vulnerabilities in container images, follow these steps:
- Activate the automatic security vulnerability scanning feature when uploading (pushing) an image
- Conduct a manual security vulnerability scan on uploaded images
The Scan on push function, which automatically performs a vulnerability scan when uploading (pushing) an image to the registry, results in additional network costs.
1. Activate the automatic security vulnerability scan feature when uploading (pushing) an image
To activate the feature that automatically performs a security vulnerability scan when uploading (pushing) an image, follow these steps:
- Please access the NAVER Cloud Platform console.
- Click Services > Containers > Container Registry menu, in order.
- Click the target registry name from the list.
- In the details area, click the Configuration button.
- In the Configuration settings popup window, click the Activate/Deactivate toggle button for the Scan on Push field to enable or disable it, and then click the [OK] button.
For detailed instructions on how to view the security vulnerability scan results, see View container image security vulnerabilities.
2. Conduct a manual security vulnerability scan on uploaded images
To manually scan container images stored in the registry for security vulnerabilities, follow these steps:
- From the NAVER Cloud Platform console, click Services > Containers > Container Registry, in order.
- From the registry list, click the [Go] button of the image list under target registry.
- In the Docker container image list, click the Docker container image.
- From the details page, click the [Tags] tab.
- In the tag list, click the [Scan] button in the Security Vulnerabilities column of the images that have not been scanned for vulnerabilities.
- Docker container images that haven't undergone a security vulnerability scan will display a "not scanned" message and a [Scan] button in the Security Vulnerabilities column.
- When you initiate the scan, the "not scanned" message will change to "PENDING" in the Security Vulnerabilities column, and the results will be displayed upon completion of the scan. For detailed instructions on how to view the security vulnerability scan results, see View Docker container image security vulnerabilities.
View Docker container image security vulnerabilities
After running a security vulnerability scan on a Docker container image, you can view the results after a certain period of time. You can enhance the overall security of the container by removing the vulnerabilities based on the scan results.
To view the results of a security vulnerability scan for a container image, follow these steps:
- From the NAVER Cloud Platform console, click Services > Containers > Container Registry, in order.
- From the registry list, click the [Go] button of the image list under target registry.
- In the Docker container image list, click the Docker container image.
- From the details page, click the [Tags] tab.
- Check the Security Vulnerabilities column in the tag list. The number of vulnerabilities with the highest severity in the known CVE list is displayed.
- To view the complete security vulnerability scan results, click items in the Security Vulnerability column of the target image.
- After checking the known CVE list for the container images, take the necessary measures to enhance security.
- Security vulnerabilities are categorized into five levels based on their severity.
- Level categorization: High-level, Medium-level, Low-level, Negligible-level, and Unknown-level
- Common Vulnerability Exposure (CVE) ID: a number format that identifies and represents a security vulnerability. It is displayed in the format: CVE-Year-Serial Number. 1 CVE ID is assigned to 1 security vulnerability. For more information on CVE, see CVE Details.
- Common Vulnerability Scoring System (CVSS): represents the severity of security vulnerabilities on a numerical scale. It is displayed on a scale of 0 to 10, with higher scores indicating a higher severity of vulnerabilities.