Show HN: I built ContainerCVE – a web tool to scan public Docker images (containercve.com)
I found it odd there wasn’t a simple web tool to scan Docker Hub images for vulnerabilities.
So I built one.
It’s powered by the popular open-source tool Trivy.
37 comments
[ 1.6 ms ] story [ 143 ms ] threadHow do you identify what is a safe Docker Hub image?
Surely it's not just reputation of the publisher of the image.
(Whether the standard docker tooling or user decides to validate signatures is another thing.)
At the moment I'm rat-holing on apt package pinning, which doesn't work at all like I expected. Looking like I'm stuck between the Debian snapshot archive and vendoring .deb files (I don't like either).
Eventually this will go out on https://alexsci.com/blog/
I did like the idea of running an OS that is a purpose-built container host, and containers that are stripped as bare as possible, until I thought about it more and realized that that’s supposed to be what a normal OS does with normal software. Zones and jails and cgroups and LX(C|D) were good ideas that we needn’t have reinvented on top.
Outside of that any image can have anything in it.(Docker do sometimes remove actively malicious images if they're notified of them)
If you want an image similar to an existing one, you can often just read the dockerfile and create your own.
Literally this for all of the software and dependencies that I use.
However, without the source code being open source, you cannot really check what anyone is up to -- thus, don't just use any container image on DockerHub
I think it’s a somewhat new product so it may not be too widespread yet, but it seems to work pretty well from my admittedly uninformed perspective.
[1] https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/sca...
[2] https://github.com/trufflesecurity/trufflehog
One very basic example is https://raesene.github.io/blog/2023/04/22/Fun-with-container...
CVEs are one source of information about potential vulnerabilities but they are amongst the least reliable these days. I've heard them being called Curriculum Vitae Enhancer.
And Trivy itself uses more sources than just CVEs as well. With upcoming regulation like the Cyber Resilience Act we'll get even more sources of vulnerabilities. I believe the future will be/should be one of distributed sources for this information. Every vendor might want to be their own authoritative source of vulnerabilities.
This is a long way of saying: Useful tool, congratulations on the launch! I'd suggest a change of name as you limit yourself with the current one.
Do vulnerabilities normally get a patch and are we expecting upcoming regulation to require the patches are installed? If action is required to be taken when vulns are published do we all have to just uninstall the thing until the bug gets fixed, lest we invalidate our corporate insurance policy?
Will I have to cease my current policy of running Trivy, reading the CVE output, and then declaring (and making a git commit saying) “while this stdlib library technically supports CORBA and our OS technically supports IPX, we don’t use CORBA or IPX… or networking… or this library… so I’m ignoring this!”
All I'm saying is that all CVEs are supposed to be vulnerabilities but not all vulnerabilities have a CVE. So, the name artificially limits the scope of the product. Trivy reports more than just CVEs
We recently wrote a document on how we would like to approach our own vulnerability management process. It received a lot of comments and we'll gladly take more:
https://docs.google.com/document/d/1QB3EaimrS0KlL6wIpfY5-SlE...
To answer your questions then :)
> Do vulnerabilities normally get a patch and are we expecting upcoming regulation to require the patches are installed?
Not all vulnerabilities get a patch, it's really up to the project. But this is what the CRA is about. In the commercial context it will require vendors to handle vulnerabilities by e.g. providing patches. And depending on which industry you are in you might also be required to install said patches.
> If action is required to be taken when vulns are published do we all have to just uninstall the thing until the bug gets fixed, lest we invalidate our corporate insurance policy?
I doubt it but it's a good idea to have a good overview of what you're running in your company. This extends to dependencies which might be included in things you're running. That is what SBOMs are meant for. They will be required in the future.
> Will I have to cease my current policy of running Trivy, reading the CVE output, and then declaring (and making a git commit saying) “while this stdlib library technically supports CORBA and our OS technically supports IPX, we don’t use CORBA or IPX… or networking… or this library… so I’m ignoring this!”
No. That is excellent! It will be formalized into a machine readable format. Currently often called a VEX statement: Vulnerability Exploitability Exchange. One popularish format for this is CSAF. But CycloneDX (an SBOM format) can also be used for this.
Having this in a machine readable format makes it easier for users to consume the information.
The tooling for this is not great yet, which is what our document above is about.
Hope it helps.
Happy to chat about this if you're interested. Reach out if you like. Details should be in my profile.
I'm repeating myself but: CVEs are useless. Please don't use them as an equivalent for "vulnerabilities".
Regulators might take a few years to catch up but if I'm able to DDoS my competition with bogus vulnerabilities then people will do just that.
The CRA says that only "exploitable" vulnerabilities have to be fixed and it does accept VEX statements. So that's good. I would have liked to see "exploited" instead of "exploitable" but it's better than nothing.
I assume/hope the US will follow.
There are a number of web/SaaS based vulnerability scanners out there actually :) Snyk's SaaS does it, for example. Free to sign up, free to use. My company's SaaS also provides container scanning with Grype and Trivy. There was another free web-based tool I found a while ago too (forgot the name... will look for it).