Docker Debuts Security Scanning for Docker Cloud Containers
Docker Security Scanning, the company’s alternative to CoreOS Clair, is out this week, adding another security and code validation option for DevOps and continuous integration workflows.
Docker announced Security Scanning on Tuesday, May 10. Like Clair, the CoreOS security scanner that debuted earlier this year, the new Docker security tool runs as a service on container repositories. It automatically scans container images for security vulnerabilities whenever code is updated.
In Docker’s words, “Docker Security Scanning provides binary level scanning, generating a detailed security profile for each Docker image, including details that allow IT operations to assess if the software meets its security compliance standards. The service works seamlessly with existing dev and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment.”
Docker is also keen to emphasize that Security Scanning supports all major Linux distributions and any type of application, making it platform- and code-agnostic. The tool delivers details about potential security vulnerabilities through what Docker calls a Bill of Materials report, which admins can use to assess threats.
While container scanning functionality is not new — this new Docker tool provides essentially the same functionality that CoreOS Clair has already offered for several months — it’s likely to prove popular with DevOps teams already invested in Docker. Clair only supports certain container repository services, notably Quay, the one owned by CoreOS. Docker Security Scanning supports any private repository in the popular Docker Cloud.
Docker has not said whether Security Scanning can check container images locally, too. That feature is available in Clair. But even if Security Scanning lacks that local functionality, it’s not likely to prove a significant drawback, since the main usefulness of container scanners is in the cloud.
Docker also on May 10 announced updates to Docker Bench, a tool for validating configurations against CIS security benchmarks. Bench offers another way to check code for security and best development practices.