Docker Hub already announced public Log4jShell detection which is now live on Docker Official Images. But for those of you who are still using some old or custom images, there is a way to scan your Docker Images for Apache Log4j2 vulnerability. Let’s see how can you do it.
Prerequisites
- Docker
- sudo privileges
Solution
Step 1. Before using the docker scan tool you should update your docker version to the latest cause versions earlier than v0.11.0 do not detect Log4j 2.
- To update Docker on Debian-based distros, run:
sudo apt-get update && apt-get install docker-scan-plugin - To update Docker on RHEL-based distros, run:
sudo yum install docker-scan-plugin
Otherwise, you can download the docker scan binaries from the official GitHub repo.
Step 2. To verify the docker scan version, run:
sudo docker scan --accept-license --version
Output:
Version v0.12.0
Git commit 2085cc0
Provider: Snyk
If the output has string like ORGAPACHELOGGINGLOG4J probably your code is affected by Apache Log4j2 vulnerability.
Step 3. Now, I’m going to give you an example how to scan existing Docker images, for instance the hello-world image.
sudo docker scan hello-world
Output:
Testing hello-world
Organization: docker-test
Package manager: linux
Project name: docker image|hello-world
Licenses: enabled
Tested 0 dependencies for known issues, no vulnerable paths found.
Step 4. To get a detailed scan report for your custom Docker image use the following syntax:
sudo docker scan --file DOCKERFILE_PATH DOCKER_IMAGE
Conclusion
The most valuable advice is to update the Docker version and keep up to date your images. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.