Docker scout - docker's official vulnerabilty and policy scanner [Unraid Security]

[L0rdRaiden]

Docker recently release Docker Scout.

I think it would be interesting at least to have the scout-cli already included in Unraid by default. An step further would be an additional page in unraid to see a report of the vulnerabilities found, the command line is pretty simple and the output could be easily formated for a web internface.

https://docs.docker.com/scout/

https://github.com/docker/scout-cli

https://docs.docker.com/scout/dashboard (this is only docker hub, doesn't apply just interesting)

 

@primeval_god I think it might be of your interest since you are already adding the compose packages via plugin, although official support would be ideal

 

 

 

 

Edited November 8, 2023 by L0rdRaiden

[primeval_god]

This looks like a tool for docker images developers. I am not sure of how much utility it would be for unRAID users.

[L0rdRaiden]

3 hours ago, primeval_god said:

This looks like a tool for docker images developers. I am not sure of how much utility it would be for unRAID users.

 

It's a tool that can give you all the vulnerabilities and misconfigurations of the local images.

Is meant for devs in an enterprise environment because enterprises don't use docker CLI in production or preprod environments but since unRAID does we can use it to have this information about the security vulnerabilities of the images used by the containers.

[primeval_god]

Right but the things it reports arent things that the user can do anything about (unless they are willing to build there own docker images that is). Its primary audience would be the developers who build the images. The majority of unRAID users aren't building their own images, or even getting them from Docker hub i would wager, they are using what is available in CA.

[L0rdRaiden]

On 11/8/2023 at 9:42 PM, primeval_god said:

Right but the things it reports arent things that the user can do anything about (unless they are willing to build there own docker images that is). Its primary audience would be the developers who build the images. The majority of unRAID users aren't building their own images, or even getting them from Docker hub i would wager, they are using what is available in CA.

 

 

Unraid apps catalog contains many dead projects, abandoned images, etc. mainly because you are force to use docker run instead compose so people in the community in many cases have done custom images to overcome unraid's limitations, like when needs more than 1 image to work, any project like this requires a custom unofficial image to be an app in Unraid's catalog.

 

The reports are useful to understand the vulnerabilities of the images and act about it, you can do a lot, like using another image or not using it at all because is a service that you have published on internet and is vulnerable to a remote attack.

 

[L0rdRaiden]

any chance someone can add this packages via plugin?

[HelixX23]

I would like to use this plugin to scan for vulnerabilities

As a result I would like to uninstall them if they have to much open unsolved issues or maybe contact the developersto inform them about it.

This type of security scans should be available inside a basic toolbox of every unRaid user.

 

Another thing is... As soon as you put any of the containers in an Internet reachable environment, then every script kiddy can do the scout scan of the unRaid container by themself and use the list of CVEs to hack your services easily.

 

A perfect solution would be to see the scan results of the scout before you even install the container and to warn the user if a updated container include new vulnerabilities.

Edited June 23 by HelixX23
misspelling in autocorrection