Easy, Β onΒ  Containers,Β Security Submissions: 25/103

In this challenge, you will need to scan an image for vulnerabilities using Docker Scout, identify the most severe ones, and produce a new version of the image with fewer vulnerabilities in it.


Docker Scout expects your Docker installation to be authenticated with Docker Hub. You can log in using the docker login command with a test Docker Hub account and a limited-scope access token (Public Repo Read-only) that you can easily generate specifically for this challenge. Usage of personal and especially production Docker Hub accounts is strongly discouraged.

When you're done with the challenge, don't forget to log out with docker logout. Or simply terminate the playground VM πŸ˜‰

Build the image

The directory ~/scout-demo-service contains a vulnerable Node.js application that you can use to follow along. Move into the directory and build the image locally with the tag scout-demo:v1.

Analyze image vulnerabilities

After building the image, use the docker scout CLI command to see vulnerabilities detected by Docker Scout. This challenge uses a vulnerable version of Express and an outdated base image.

Hint 1 πŸ’‘

It's an easy one - docker scout cves --help is your friend.

Hint 2 πŸ’‘

You can narrow down the results by filtering by package name with docker scout cves scout-demo:v1 --only-package express

Fix application vulnerabilities

Can you rebuild the image using a slimmer base image and upgrading your package.json dependencies on the way so that the new image has fewer vulnerabilities?

  1. Use a slimmer or a most recent version of the current base image that includes fewer vulnerabilities.
  2. Update the underlying vulnerable express version to a specific version or later.
  3. Build a new image with name scout-demo:v2.
Hint 3 πŸ’‘

Use a more recent version of the base image, such as:

- FROM alpine:3.14
+ FROM alpine:3.19
Hint 4 πŸ’‘

Update the package.json file with the new express version.

   "dependencies": {
-    "express": "4.17.1"
+    "express": "4.17.3"

Analyze the new image

πŸŽ‰ Congratulations! If you analyze the new image for CVEs again, you'll see that several vulnerabilities have been fixed.

What's next?

There's a lot more to discover in Docker Scout, from third-party integrations, to policy customization, and runtime environment monitoring in real-time.

Check out the following sections:

Categories:Β Containers,Β Security
Discussion:Β  Discord

Level up your server-side game β€” Join 7,000 engineers who receive insightful learning materials straight to their inbox