From 1ece4031e63685ef11eaf5fcc91a393be6c49909 Mon Sep 17 00:00:00 2001 From: "Ajeet Singh Raina, Docker Captain, ARM Innovator" Date: Sat, 13 Jul 2024 08:53:38 +0530 Subject: [PATCH] Update README.md --- README.md | 110 ++++++++++++++++++++---------------------------------- 1 file changed, 41 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index 5532a6e..e376b84 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,9 @@ The application consists of a basic ExpressJS server and uses an intentionally o - [Fix application vulnerabilities](#fix-application-vulnerabilities) - [Integrating with GitHub Action](#integrating-with-github-action) -## Getting Started +## Getting Started + +## 1. Inner-Loop (using Docker Desktop) - Install the latest version of Scout CLI @@ -58,8 +60,28 @@ That means we need to update our Express v4.17.3 to 4.19.2 image +Alternatively, you can see the list of vulnerabilities locally using your terminal. + +``` + docker scout cves scout-demo:v1 +``` + + + +## Fix application vulnerabilities + +The fix suggested by Docker Scout is to update the underlying vulnerable express version to 4.17.3 or later. + +Update the package.json file with the new package version. -Open up package.json in a terminal window and change express from 4.17.3 to 4.19.2 and rebuild it this time with v2.0 + +``` +… +"dependencies": { + "express": "4.19.2" + … +} +``` ``` docker build -t scout-demo:v2 . @@ -68,7 +90,7 @@ docker build -t scout-demo:v2 . image -You will find that express vulnerabilities is now fixed. +You will find that express vulnerabilities are now fixed. image @@ -92,23 +114,27 @@ This time, you will find all the vulnerabilities are fixed. +## 2. Using Docker Hub -## Create and push the repository on Docker Hub: +## Create and push the Docker image to the Docker Hub repository ``` docker push /scout-demo:v1 ``` -Alternatively, you can use Docker Dashboard directly too to push your Docker image to the Docker Hub. +Alternatively, you can use Docker Dashboard directly to to push your Docker image to the Docker Hub. image ## Enable Docker Scout -image +You can enable Docker image analysis right on your Docker Hub repositories - either through CLI or directly using Docker Hub Dashboard. + + +image Docker Scout analyzes all local images by default. To analyze images in remote repositories, you need to enable it first. You can do this from Docker Hub, the Docker Scout Dashboard, and CLI. Find out how in the overview guide. @@ -134,87 +160,33 @@ For Example: ## Analyze image vulnerabilities -After building, you can use Docker Desktop or the docker scout CLI command to see vulnerabilities detected by Docker Scout. - -Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those. - - -``` - docker scout cves /scout-demo:v1 -``` - - +Click on the tag version to see the list of vulnerabilities: -image +image -Select layer 5 to focus on the vulnerability introduced in that layer. +You can see the similar kind of result as you see locally on your Docker Desktop. -image +image -Toggle the disclosure triangle next to express 4.17.1 and then the CVE ID (in this case, “CVE-2022-24999⁠”) to see details of the vulnerability. -image -image - - - -You can also use the Docker CLI to see the same results. - - -``` -docker scout cves /scout-demo:v1 - ✓ Provenance obtained from attestation - ✓ Image stored for indexing - ✓ Indexed 79 packages - ✗ Detected 6 vulnerable packages with a total of 26 vulnerabilities - - ... -... - -28 vulnerabilities found in 6 packages - UNSPECIFIED 1 - LOW 0 - MEDIUM 7 - HIGH 18 - CRITICAL 2 -``` - -Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the [Advisory Database sources document](https://docs.docker.com/scout/advisory-db-sources/). - -## Fix application vulnerabilities - -The fix suggested by Docker Scout is to update the underlying vulnerable express version to 4.17.3 or later. - -Update the package.json file with the new package version. +After building, you can use Docker Desktop or the docker scout CLI command to see vulnerabilities detected by Docker Scout. -``` -… -"dependencies": { - "express": "4.17.3" - … -} -``` +Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those. -## Rebuild the image, giving it a new version tag: ``` -docker build -t /scout-demo:v2 . + docker scout cves /scout-demo:v1 ``` -## Push the image to the same repository on Docker Hub using a new version tag: +Now you can follow the above instructions to fix it directly on Docker Desktop. -``` - docker push /scout-demo:v2 -``` - -Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout Dashboard, or CLI, you can see that you have fixed the vulnerability. +Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the [Advisory Database sources document](https://docs.docker.com/scout/advisory-db-sources/). -image ## Integrating with GitHub Action