Docker image security analysis


On Your Marks …

Before getting started, you'll need a working Python v3.5+ installation. I found some handy instructions online [7], which I've summarized as best as I can. As superuser (root), you have to run a few commands and set up Python; for example, for Debian derivatives, use:

$ add-apt-repository ppa:jonathonf/python-3.6
$ apt-get update
$ apt-get install python3.6

In Figure 3 you can see that Python v3.6 adds about 23MB of files to your machine. Depending on how much time you've spent with Python, you might not have seen deprecation warnings before. For some future-proofing, I'll show you how to set a default Python version, because you need to tell Docker Scan to use Python v3, not version 2.

Figure 3: Installing Python v3.6 for compatibility with Docker Scan.

For example, the command

$ python --version
Python 2.7.12

reports that Python v2 is installed. After installing the relevant packages, entering python3 instead of python will output the following:

$ python3 --version
Python 3.5.2

On Debian derivatives (I'm using Mint/Ubuntu on my laptop), you can use the following commands to provide easier version switching options:

$ update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.5 1
$ update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.6 2
$ update-alternatives --config python3

With these commands, you can build a simple menu of sorts to populate your options (Figure 4). When you select 0 in Figure 4, for example, you force the use of version 3.6 and not version 3.5. Compare it to the output of the python3 command above.

Figure 4: Selecting 0 sets Python v3.6 as the default.

Hello Pip, Old Bean

Getting your system ready for Docker Scan requires a few commands:

$ apt install python3-pip
$ python3 -m pip install setuptools
$ python3 -m pip install -U pip # This should say it's already installed

In the first line, the Apt package manager installs the Python pip package manager. Because pip might be available for Python v2, the python3-pip name eliminates confusion. The setuptools package in the second command ensures that pip will behave properly, and the third command verifies that pip is happy. The final command that drops the star of the show into place is:

$ python3 -m pip install dockerscan
Successfully installed booby-ng-0.8.4 click-6.7 colorlog-2.10.0 dockerscan-1.0.0a3 ecdsa-0.13 jws-0.1.3 python-dxf-4.0.1 requests-2.13.0 tqdm-4.31.1 www-authenticate-0.9.2

The lengthy output denotes success.

Help Me

You can now check that Docker Scan is installed by running the command with the -h (help) option (Figure 5):

$ dockerscan -h
Figure 5: The upper level of the help menu from Docker Scan.

For clarity I had previously installed the basic, built-in Docker package ( with the command:

$ apt install

You can find information about Docker Community Edition (CE) [8], which will likely install a newer version of Docker Engine.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus