ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
Never use a Docker container without doing this first! (And don't create one either!)
ฝัง
- เผยแพร่เมื่อ 16 ส.ค. 2024
- Don't make the mistake of downloading (pulling) a Docker container without first doing this very important security check! So many Docker containers contain software that have CVEs (Common Vulnerabilities and Exposures). And don't create a Docker container without first making sure that the dependencies you use don't have CVEs. Make the world a more secure place by using Docker Scout.
Big thanks to Docker for sponsoring this video!
// Learn more here //
Docker Scout: dockr.ly/4engpsI
Docker www.docker.com/
// PDF //
Docker Scout PDF: davidbombal.wi...
// David's SOCIAL //
Discord: / discord
X: / davidbombal
Instagram: / davidbombal
LinkedIn: / davidbombal
Facebook: / davidbombal.co
TikTok: / davidbombal
TH-cam: / @davidbombal
// MY STUFF //
www.amazon.com...
// MENU //
00:00 - Introduction
00:35 - Docker Scout Demo
04:58 - Key Takeaways
05:52 - Install Docker Desktop
06:16 - Download GIT
08:19 - Launch GIT BASH
09:00 - Open PowerShell
09:26 - Pull and Analyze the Container
10:15 - Advantages of Docker Scout
11:25 - Demo: Finding and Fixing Vulnerabilities
12:42 - Login to Docker Scout
13:44 - Enable Docker Scout
14:18 - Overview
16:15 - Docker Desktop
17:36 - Update Dockerfile
18:10 - Build and Push Updated Docker Container
18:51 - Fixing Vulnerabilities
20:14 - No Recommended Fixes
21:25 - Options for Discovering Vulnerabilities
22:26 - Fixed Vulnerabilities
23:39 - Further Fixes
25:42 - Achieving 100% Compliance
25:59 - The Power of Docker Scout
26:18 - Outro
cve
docker
docker scout
scout
docker hub
docker cve
rust
java
jscript
xss
c
python
#docker #hack #cybersecurity
Don't make the mistake of downloading (pulling) a Docker container without first doing this very important security check! So many Docker containers contain software that have CVEs (Common Vulnerabilities and Exposures). And don't create a Docker container without first making sure that the dependencies you use don't have CVEs. Make the world a more secure place by using Docker Scout.
Big thanks to Docker for sponsoring this video!
// Learn more here //
Docker Scout: dockr.ly/4engpsI
Docker www.docker.com/
// PDF //
Docker Scout PDF: davidbombal.wiki/dockerscoutpdf
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
X: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
TH-cam: www.youtube.com/@davidbombal
// MY STUFF //
www.amazon.com/shop/davidbombal
// MENU //
00:00 - Introduction
00:35 - Docker Scout Demo
04:58 - Key Takeaways
05:52 - Install Docker Desktop
06:16 - Download GIT
08:19 - Launch GIT BASH
09:00 - Open PowerShell
09:26 - Pull and Analyze the Container
10:15 - Advantages of Docker Scout
11:25 - Demo: Finding and Fixing Vulnerabilities
12:42 - Login to Docker Scout
13:44 - Enable Docker Scout
14:18 - Overview
16:15 - Docker Desktop
17:36 - Update Dockerfile
18:10 - Build and Push Updated Docker Container
18:51 - Fixing Vulnerabilities
20:14 - No Recommended Fixes
21:25 - Options for Discovering Vulnerabilities
22:26 - Fixed Vulnerabilities
23:39 - Further Fixes
25:42 - Achieving 100% Compliance
25:59 - The Power of Docker Scout
26:18 - Outro
cve
docker
docker scout
scout
docker hub
docker cve
rust
java
jscript
xss
c
python
#docker #hack #docker
i've often said, just because it runs in a VM doesn't make it safe, when you download a container you are basically bringing a foreign system onto your network
Exactly
I do this job regularly. To be FedRAMP compliant you need to ship vulnerable free image into production environment
Be good if more people do this and are aware of the CVEs found in containers.
Oh the hours I've dumped into being FedRAMP compliant!!!
If docker makes docker scout and then hosts docker images and knows how to fix them and they will work with the fixes and the don't just fix them.... Isn't this kinda like a profit model where they take a moral obligation and sell you the ability to do their job for them?
@@ckckck12Their selling you the scan not the fix. There are plenty of container scanning tools. Hell you don't even need docker for your containers. Its easy to update the packages containing the CVEs
@@LibreGlider my point is that they already know what's wrong with containers but refrain from automating the fixing because it's profitable.
He's talented and deserves respect because he paid his dues. ❤😂
If docker owns docker scout then they know which images are vulnerable. They have a moral obligation to deploy fixes and flaw prevention at their level.
Great PSA David. Thank you!
Thank you!
The issue detailed by the CVE has to be exposed by the container or accessable via services offered by the contained application.
The problem I have is we use one docker image in the entire company. The IT manager isn't going to pay for docker scout.
It sounds like there may be an advancement opportunity in your company soon.:)
This is exactly why I don't like containers. It is too easy to slip in vulnerabilities especially in high use networks.
Brilliant video for developers! Thank you so much David!
Glad you enjoyed it!
Great video. Docker and Docker Scout are great development tools; but nobody has created Zero Trust containers, yet.
(Armored Gate is working on that.)
You might want to disable ClearType when zooming in to UI elements containing text, I really hate the colour fringe that appears when the text does not align with my subpixels.
The fundamental problem today is that container images have unnecessary binaries and libraries in the container. I deal with this every single day and then to make matters worse the licensing of those packages isn't being complied with (GPL). Trivy is better and then use Dive to actually analyze the layers if the image hasn't been squashed. The concept of least privilege needs to be applied to most minimalist packages in a base container OS.
Thanks so much David ❤
You're welcome!
Many thnx, David!
You're welcome!
Thank you for posting
Interesting! Thank you for the information!
Edit: I learn CVE from CompTIA A + core 2 and it's cool!
Glad you liked it! And well done!
Thats great, what's the FOSS option?
There are a few: Clair, Trivy, Anchor, Dragda, and Grype. I think Harbor also has some kind of CVE built-in checking, but it’s been ages last time I used it.
I'm not sure it's usefull: the point of using the original vendor image is to get something stable that has been tested by the vendor. If you're running a custom version, why would you upgrade their image instead of building a new one from scratch?
Vendors need to adapt. I see this happening slowly.
The vendors don't always follow best practices, and they can't release new images every day. Using SBOM to pick up vulnerabilities live without scanning it regularly makes so much sense.
WOW!!! Thanks for this info!!!!! Greatly appreciated!!!
Thanks a lot, David. Fantastic advice and demo👍🏻👍🏻😇
You're welcome! Thank you!
I really like this video as it shows how patient you need to be to understand and then to implement safeguards against CVE's. Linking this to an earlier video where @davidbombal interviewed someone from Cisco; recall eBPF. Apparmor and SELinux could also be leveraged in cases where the operator does not have the privileges to modify the software. My suggestion is more towards safeguarding or CUA till official patch from vendors arrive. Please let me know if there is any other way to proceed.
Scout is a paid, closed-source product by Docker, IIRC. What about talking about open source alternatives like Clair, Trivy, Anchor, Dragda or Grype, to name a few?
You can have up to 3 repos, which are free.
If you watch the video, you'll see that I cover the free and paid options.
this comment was more useful than the video
Very useful advise! Thank you!
You're very welcome :)
Thank you. Very useful video.
Glad it was helpful! 😀
This man is a great salesman
Great tutorial man
!
It's not just vulnerabilities, but also the fact that some images shouldn't be trusted in the first place.
Excellent presentation and valuable information. Thank you
Just a question: Why not to use Chainguard images which provide 0 vulnerability?
But cve are everywhere - only isolation of docker host from rest of infrastructure is a solution - that is - do not use docker locally
What to do when absolutely all containers have CVE ?
It's not possible to have clean containers when all the dependencies are vulnerables, and if you try to fix it, you're going to suffer a lot, just because people are crafting crappy containers and expects you to do their work
Have you used Snyk? How do you think Scout compares?
Muy bueno. Sigue asi David,
I thought I'll find advice for shipping containers😮
😂
Thanks so much sir
You're very welcome :)
Thanks 👍🎉❤
create your own docker image
Does it work for pods?
Where is Mr otw ?
Hi sir, which is better for beginners Kali or parrot?
Either. Most people start with Kali, so I suggest you start there.
@@davidbombal thank you sir I appreciate your help
David,
What do you do before using a large language model you did not create? Is #AI the new spyware from who knows where?
Been an issue for a while now...
Agreed. We definitely need software like Docker Scout to help solve this issue.
Well yeah..containers so the app doesn't get broken by updates to dependencies on the host OS.
No, wait..
Hi David, could you check your email and search Doris to see if you have cooperation intention?
Sir please add the function Hindi language in your TH-cam video please 🙏🙏🙏🙏
You have one video on your channel, and it's not in English. Piss off mate
5:50 NEVER install docker desktop... stick to networking Sir David.
Why not?
I’m learning so much and I was to pull one 😭
Really important to check the containers you pull to make sure they don't have vulnerabilities.
😮
🙂👍
Lol 😂😂😂😂 You do understand nothing hahaha 🤣 You got Skill issues
All the zooming in and out makes the procedure confusing to follow. 🫤
- Mr Boomer