How to use docker scout compare command to analyze image differences

Introduction

In this lab, you will learn how to effectively use the docker scout compare command to analyze the differences between two Docker images. This process is crucial for understanding changes in vulnerabilities, packages, and other image components across different versions or builds.

Through hands-on exercises, you will explore comparing images with default settings, ignoring base image vulnerabilities, filtering results by severity and package type, and generating a markdown report of the comparison results. By the end of this lab, you will be proficient in using docker scout compare to gain valuable insights into your container image security and composition.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker(("Docker")) -.-> docker/ImageOperationsGroup(["Image Operations"]) docker(("Docker")) -.-> docker/DockerfileGroup(["Dockerfile"]) docker/ContainerOperationsGroup -.-> docker/ls("List Containers") docker/ImageOperationsGroup -.-> docker/pull("Pull Image from Repository") docker/ImageOperationsGroup -.-> docker/images("List Images") docker/DockerfileGroup -.-> docker/build("Build Image from Dockerfile") subgraph Lab Skills docker/ls -.-> lab-555200{{"How to use docker scout compare command to analyze image differences"}} docker/pull -.-> lab-555200{{"How to use docker scout compare command to analyze image differences"}} docker/images -.-> lab-555200{{"How to use docker scout compare command to analyze image differences"}} docker/build -.-> lab-555200{{"How to use docker scout compare command to analyze image differences"}} end

Compare two images with default settings

In this step, you will learn how to compare two Docker images using a vulnerability scanning tool. Comparing images is crucial for identifying security risks and understanding the differences between different versions or builds of your container images. We will use a tool called trivy for this purpose. trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts.

First, let's install trivy. Since trivy is not pre-installed in the LabEx environment, you need to download and install it.

sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) stable main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy

The commands above first update the package list, then install necessary dependencies for adding a new repository. After that, it downloads the public key for the trivy repository and adds it to your system's trusted keys. Finally, it adds the trivy repository to your sources list, updates the package list again, and installs trivy.

Now that trivy is installed, let's pull the Docker images we want to compare. We will compare two different versions of the ubuntu image: ubuntu:20.04 and ubuntu:22.04.

docker pull ubuntu:20.04
docker pull ubuntu:22.04

These commands pull the specified ubuntu image versions from Docker Hub. You should see output indicating the download progress and successful pulling of the images.

Now, we can use trivy to compare these two images. The basic command to compare two images is trivy image --diff-image [image1] [image2].

trivy image --diff-image ubuntu:20.04 ubuntu:22.04

This command will analyze both ubuntu:20.04 and ubuntu:22.04 and report the differences in vulnerabilities found between the two images. The output will show vulnerabilities that are present in one image but not the other, or vulnerabilities with different severities. This helps you understand how upgrading or changing image versions might impact your security posture.

The output will list vulnerabilities categorized by severity (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL). It will show vulnerabilities that were added in the second image (ubuntu:22.04 in this case) compared to the first (ubuntu:20.04), and vulnerabilities that were removed.

Compare images and ignore base image vulnerabilities

In the previous step, we compared two ubuntu images and saw the differences in vulnerabilities. Sometimes, when comparing images, you might be interested in the vulnerabilities introduced by your application code or dependencies, rather than the vulnerabilities inherited from the base image. trivy allows you to ignore vulnerabilities that are present in a specified base image.

To demonstrate this, let's first create a simple Dockerfile that uses ubuntu:20.04 as the base image and adds a simple file.

Navigate to your project directory:

cd ~/project

Create a file named Dockerfile using nano:

nano Dockerfile

Paste the following content into the Dockerfile:

FROM ubuntu:20.04
RUN echo "This is a test file" > /app/test.txt

Save the file and exit nano (Ctrl+X, Y, Enter).

This Dockerfile is very simple. It starts from the ubuntu:20.04 image and then runs a command to create a file named test.txt inside an /app directory.

Now, let's build a Docker image from this Dockerfile. We will tag it as my-ubuntu-app:latest.

docker build -t my-ubuntu-app:latest .

The docker build command builds an image from a Dockerfile. The -t my-ubuntu-app:latest flag tags the image with the name my-ubuntu-app and the tag latest. The . at the end specifies that the Dockerfile is in the current directory. You should see output indicating the build process and successful creation of the image.

Now we have two images: ubuntu:20.04 (the base image) and my-ubuntu-app:latest (the image built on top of the base image). We can compare my-ubuntu-app:latest with ubuntu:20.04 and ignore the vulnerabilities that are already present in ubuntu:20.04. This will show us only the vulnerabilities introduced by the changes in our Dockerfile.

We use the --ignore-base flag with the trivy image command to achieve this.

trivy image --ignore-base --diff-image ubuntu:20.04 my-ubuntu-app:latest

This command compares my-ubuntu-app:latest to ubuntu:20.04 but only reports vulnerabilities that are present in my-ubuntu-app:latest and not in ubuntu:20.04. Since our Dockerfile only added a simple file and didn't install any new packages, you should see very few or no new vulnerabilities reported compared to the previous step's output. This demonstrates how --ignore-base helps focus on the security impact of your application layer.

Compare images and filter by severity and package type

In the previous steps, we performed basic image comparisons. However, the output can sometimes be very detailed, especially for images with many vulnerabilities. trivy allows you to filter the results based on severity level and package type, which helps you focus on the most critical issues or specific types of vulnerabilities.

Let's compare ubuntu:20.04 and ubuntu:22.04 again, but this time we will filter the results to only show vulnerabilities with a severity of HIGH or CRITICAL. This is useful when you want to prioritize fixing the most severe vulnerabilities.

We use the --severity flag to specify the minimum severity level to report. You can provide a comma-separated list of severity levels.

trivy image --diff-image ubuntu:20.04 ubuntu:22.04 --severity HIGH,CRITICAL

This command will compare the two ubuntu images and only display vulnerabilities that are classified as HIGH or CRITICAL in either image. You will notice that the output is much shorter than the default comparison, as it excludes vulnerabilities with lower severity levels (UNKNOWN, LOW, MEDIUM).

Besides filtering by severity, you can also filter by the type of package where the vulnerability was found. trivy can scan for vulnerabilities in operating system packages (like those installed via apt, yum, etc.) and application dependencies (like libraries used by your code).

Let's compare the images again, but this time we will only look for vulnerabilities in operating system packages. We use the --vuln-type flag for this.

trivy image --diff-image ubuntu:20.04 ubuntu:22.04 --vuln-type os

This command will compare the two images and only report vulnerabilities found in the operating system packages. This is helpful if you are primarily concerned with the security of the base operating system layer of your image.

You can also combine these filters. For example, to see only HIGH or CRITICAL vulnerabilities in operating system packages:

trivy image --diff-image ubuntu:20.04 ubuntu:22.04 --severity HIGH,CRITICAL --vuln-type os

This command provides a more focused view of the most severe vulnerabilities within the operating system layer of your images. Filtering helps you manage the output and prioritize your security efforts effectively.

Compare images and generate a markdown report

In the previous steps, we viewed the vulnerability comparison results directly in the terminal. While this is useful for quick checks, you often need to save the results in a structured format for reporting, documentation, or further analysis. trivy supports various output formats, including markdown.

Generating a markdown report is useful because markdown is a lightweight markup language that is easy to read and can be easily converted to other formats like HTML or PDF.

To generate a markdown report of the image comparison, we use the --format flag and specify markdown. We also redirect the output to a file using the > operator.

Let's compare ubuntu:20.04 and ubuntu:22.04 again and save the output to a markdown file named comparison_report.md in your ~/project directory.

trivy image --diff-image ubuntu:20.04 ubuntu:22.04 --format markdown > ~/project/comparison_report.md

This command performs the same comparison as in the first step but formats the output as markdown and saves it to the specified file. You won't see the output directly in the terminal this time.

After the command finishes, you can view the generated markdown file using cat or nano.

cat ~/project/comparison_report.md

This command will display the content of the comparison_report.md file in your terminal. You should see the vulnerability comparison results formatted using markdown syntax, including headings, lists, and tables.

You can also open the file with nano to view it in a text editor:

nano ~/project/comparison_report_markdown.md

Remember to exit nano after viewing the file (Ctrl+X).

Generating reports in different formats like markdown allows you to easily share the vulnerability information with others or integrate it into your existing reporting workflows. This is a crucial step in incorporating security scanning into your development and deployment pipelines.

Summary

In this lab, you learned how to use the trivy tool to compare two Docker images. You began by installing trivy in the LabEx environment, which involved adding the trivy repository and installing the package using apt. After installation, you pulled two different versions of the ubuntu image, ubuntu:20.04 and ubuntu:22.04, from Docker Hub. Finally, you executed the basic trivy image --diff-image command to compare these two images and analyze the differences in their vulnerabilities and packages.