from Ben Grissinger's talk on May 17 at Docker Austin meetup: http://www.meetup.com/Docker-Austin/events/231090935/

1. Docker Security Scanning
Project formerly known as Nautilus

2. Nautilus backstory courtesy of crate.io blogpost
Docker named its security
project originally after the
Nautilus, an old marine mollusk
that lives in a spiral shell. It has
up to ninety tentacles probing
its environment. The shell
comprises of a sequence of
confined chambers that relate
to the layered components of
a Docker image.
Yes, we are that deep.

3. What Is Docker Security Scanning (formerly known as Project Nautilus)?
● Image scanning and vulnerability detection
○ Binary Vulnerability Scanner
■ Upload your image, we do binary scanning of all components
● A lot more than just a dpkg -l joined to a CVE database
● Finds all statically-linked libraries
■ Show all the vulnerabilities in each component
■ Handles backports - CVE 2016-abc-123 is backported to glibc 2.19-18+deb8u4
■ Licensing information
■ Covers all major Linux distros, and Windows
● Continued Vulnerability Monitoring
○ Notifications of newly discovered vulnerabilities
○ Find all affected repo owners, send them email
○ Prevents people from canceling since new vulns are always coming
■ Last week was “patch Tuesday” every day, for example

4. How Security Scanning Works
Scanner
CVE
Scanning
validation
service
Docker Security Scanning
Scan
Trigger
Plugin
Framework
CVE
Databases
NIST, MitreDatabaseBOM
Notifications
Push image
Docker
Cloud
Private
repos
Signer
Notary
Notifications
Processor
Codenomicon
Official Images

5. Remediation Strategies
● Move to a cleaner base
○ For example Alpine is a much smaller footprint and has a lot less vulnerabilities
○ Sometimes a similar base layer may be cleaner
■ For a while, debian:jessie was cleaner than ubuntu
● Upgrade your components if they have been patched
○ openssl, openssh, libgc, imagemagick, have all been fixed last week
● Use Official Images
○ Docker works with upstream publishers to resolve all known vulnerabilities

6. Future Features
● Integration with DTR (on prem repos)
● Build pipelines
○ Pass scans with some threshold of CVEs, then sign, then push somewhere else
○ Become part of bigger rule-based security pipeline
○ Add a test for license compliance - ie no GPL in proprietary code
● Suggest which updated component version to use
○ We may have scanned a different version that is cleaner
● Hooks to build/deploy images when some CVE is fixed
○ New CVE discovered
○ Upstream library is fixed
○ Scan passes, CVE is fixed
○ Build a new image and deploy

7. Basic Questions
1. Support for orgs?
- Generally available with Docker Cloud supported orgs
- Testing workarounds to support orgs in process
2. Public Repos?
- Will have free scanning of public repos eventually, within a few months +/-
3. Which CVE databases do we work with?
- All the major ones: NIST NVD, Mitre, others
- Read from major distribution advisories for CVE backports
4. Does it support Windows?
- Not as well as Linux, but yes it does
5. Can I have it on my repos?
- Soon !