Docker Inc have announced general availability of Docker Security Scanning, which was previously known as Project Nautilus. The release comes alongside an update to the CIS Docker Security Benchmark to bring it in line with Docker 1.11.0, and an updated Docker Bench tool for checking that host and daemon configuration match security benchmark recommendations.
From 10 May 2016 Docker Cloud private repo customers will have a time limited free trial of the Security Scanning features, which will be expanded soon to all Docker Cloud users. Security Scanning will also become an integrated feature of Docker Datacenter. Scanning is intended to be integrated into the ‘build, ship, run’ lifecycle as part of a four part process:
- Base images are scanned, signed and pushed to a central registry (where the system integrates with Docker Content Trust).
- Developers add to secure base images and push complete apps for scanning. A bill of materials (BOM) is created and any vulnerabilities are noted for remediation.
- Once the BOM is in a satisfactory state the app image is signed and becomes deployable into production (onto hosts where the configuration has been secured with Docker Bench, and that trust the secure repo).
- As new vulnerabilities are added to the scanning database the system can notify against issues found with deployed images held in the repo. New images can be created and vulnerable containers can be replaced with freshly patched containers.
The Security Scanning engine is able to find security critical software, such as OpenSSL, within statically linked binaries; so it does more than simply scanning each file and creating a hash. It does however depend upon specific language support modules, so it can’t yet work with Golang static binaries.
Docker Inc’s Director of Security Nathan McCauley stated that the scanning technology had already ‘secured over 400m pulls’ from Docker Hub, but he wouldn’t comment on how many of those did contain known vulnerable software. McCauley went on to say that official Docker images will all now make use of Security Scanning, and that they were ‘moving towards reasonable timeliness’ for the process of fixing newly discovered issues.
The CIS Docker Security Benchmark was first released a year ago to work with Docker 1.6. McCauley indicated that he doesn’t expect the Benchmark to keep pace with releases of the Docker engine, but the Docker Bench tool will be updated more frequently than the benchmark in order to track new functionality.
McCauley was also keen to highlight the Role Based Access Control (RBAC) capabilities of Docker Trusted Registry (DTR) and Docker Universal Control Plane (UCP) products. Attribute Based Access Control (ABAC) may also be coming, as this has been requested by some customers. Whilst these security announcements have something to offer all Docker users, their main focus is on premium products and services where it seems that Docker Inc is concentrating on the market for management and security capabilities that build on the hugely popular underlying open source project.