I was hacking containers recently and noticed, that Docker started featuring the
docker scan command in the
docker build output. I've been ignoring its existence for a while, so evidently, it was time to finally try it out.
Scanning official Python images
docker scan command uses a third-party tool, called Snyk Container. Apparently, it's some sort of a vulnerability scanner. So, I decided, mostly for the sake of fun, to scan one of my images. And it just so happened that it was a fairly basic thing:
# latest stable at the time FROM python:3.9 RUN pip install Flask COPY server.py server.py ENV FLASK_APP=server.py ENV FLASK_RUN_PORT=5000 ENV FLASK_RUN_HOST=0.0.0.0 EXPOSE 5000 CMD ["flask", "run"]
docker build -t python-flask . and then
docker scan python-flask. To my utter surprise, the output was huge! Here is just an excerpt: