Skip to main content

Docker Image Analysis

Lifecycle analyzes the application layer of an image to discover the open-source components your application depends on. For a full scan of the container image including the OS layer, refer to Sonatype Container Security.

The steps to running an analysis of a Docker image are as follows.

  1. Use the docker client to save the image as a tar file

    See the following on installing the Docker client

  2. Run an analysis with a Lifecycle integration

    The scanner uses the Docker algorithm to analyze which files are added or deleted from each layer to determine the composition of the image. The application layer contents are passed to Lifecycle for evaluation.

  3. Review the report generated in Lifecycle

Difference with the Docker Image Analysis

  • The docker analysis results are similar to the build scan for most ecosystems however any additional packages found in the environment, brought in by the docker image, are also analyzed. These results may be outside of the scope for the development team to remediate.

  • While analyzing the container before deployment is a best practice, some results are not as accurate when analyzing outside of the build context. The build manifests and OSS pedigree are lost while open-source components are obfuscated during the final application packaging. Refer to the various ecosystem analysis pages for guidance on the optimum time to perform an analysis.

Inspecting images hosted in Nexus Repository 3

The Docker client is used to pull and save an image from any repository; including Nexus Repository 3.

Inspecting containers running in OpenShift, Kubernetes, or Rancher

Sonatype Container is used to analyze containers running on these platforms. The Docker analysis may be used to pull, save, and evaluate images outside of the runtime environment. Ideally, Lifecycle would evaluate the image before it is deployed.

Analysis using the CLI

The Sonatype CLI relies on the Docker daemon to package the image as an archive file.

  1. Bring the image into the local environment

    docker pull webgoat/webgoat-7.1

  2. Save the image as a tar file

    docker save webgoat/webgoat-7.1:latest > webgoat-7.1.tar

  3. Run the analysis from the Sonatype CLI

    java -jar ./nexus-iq-cli.jar -i appid -s http://localhost:8070 -a admin:password -t build webgoat-7.1.tar

Review the Sonatype CLI documentation for details on running a scan.

Opening the Component Details Page for a component, and then selecting the Occurrences tab, you’ll see the tar file path, with a long hash, and then a layer.tar.

Analysis with Jenkins CI

The following example is a pipeline project in Jenkins that pulls an image from Docker Hub and starts a Lifecycle evaluation. You need a running instance of Jenkins with the Sonatype Platform plugin to run policy evaluations. Specify an agent node that has Docker installed. This example uses the webgoat-7.1 image

  1. Open Jenkins, and create a new pipeline project. In the Pipeline section, enter the following script:

    node {
    stage('Build/Pull') {
        sh "rm -f ${env.WORKSPACE}/*.tar"
        sh 'docker pull webgoat/webgoat-7.1'
        sh "docker save webgoat/webgoat-7.1 -o ${env.WORKSPACE}/webgoat-7.1.tar"
    }
    stage('IQ Evaluation') {
        nexusPolicyEvaluation (
            failBuildOnNetworkError: false, 
            iqApplication: 'dockerapp',
            iqScanPatterns: [[scanPattern: '*.tar']],
            iqStage: 'release',
            jobCredentialsId: ''
        )
    }
}

  2. Save the pipeline script and then launch the build in Jenkins.

Webhook Listener

Analysis of images may be triggered using a webhook listener after a build is pushed to Docker Hub or Nexus Repository 3. This may be a solution when you don’t have access to your CI build process.

See the community project for using the Webhook Listener.