In this challenge, you will need to scan an image for vulnerabilities using Docker Scout, identify the most severe ones, and produce a new version of the image with fewer vulnerabilities in it.

Prerequisites

Docker Scout expects your Docker installation to be authenticated with Docker Hub. You can log in using the docker login command with a test Docker Hub account and a limited-scope access token (Public Repo Read-only) that you can easily generate specifically for this challenge. Usage of personal and especially production Docker Hub accounts is strongly discouraged.

Build the image

The directory ~/scout-demo-service contains a vulnerable Node.js application that you can use to follow along. Move into the directory and build the image locally with the tag scout-demo:v1.

Analyze image vulnerabilities

After building the image, use the docker scout CLI command to see vulnerabilities detected by Docker Scout. This challenge uses a vulnerable version of Express and an outdated base image.

Fix application vulnerabilities

Can you rebuild the image using a slimmer base image and upgrading your package.json dependencies on the way so that the new image has fewer vulnerabilities?

1. Use a slimmer or a most recent version of the current base image that includes fewer vulnerabilities.
2. Update the underlying vulnerable express version to a specific version or later.
3. Build a new image with name scout-demo:v2.

- FROM alpine:3.14
+ FROM alpine:3.19

   "dependencies": {
-    "express": "4.17.1"
+    "express": "4.17.3"
   }

Analyze the new image

🎉 Congratulations! If you analyze the new image for CVEs again, you'll see that several vulnerabilities have been fixed.

What's next?

There's a lot more to discover in Docker Scout, from third-party integrations, to policy customization, and runtime environment monitoring in real-time.

Check out the following sections:

• Image analysis
• Data sources
• Docker Scout Dashboard
• Integrations
• Policy evaluation