Last summer I launched vulnerablecontainers.org to help shed light on the number of vulnerabilities in the 1,000 most popular containers on docker hub. While it was an interesting project, right after I launched the project I had multiple people ask if it was able to scan other public containers. Initially, it wasn’t but I wanted to offer the ability, so over the last two weeks, I decided to not sleep and built my first API that I am publicly releasing today.
scan.vulnerablecontainers.org is an open python API built using Trivy, Flask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming). From the start, I designed it to be easy to use in the browser or on the command line for integration with CI/CD.
Trivy Scan Report
The most useful endpoint provides a trivy report of all opened vulnerabilities for the container and is available at:
https://scan.vulnerablecontainers.org/scan?name=
Usage Example:
https://scan.vulnerablecontainers.org/scan?name=centos:6.6
Example Output:
CVE List
This endpoint provides a list of open CVEs on the container and is available at:
https://scan.vulnerablecontainers.org/cves?name=
Usage Example:
https://scan.vulnerablecontainers.org/cves?name=centos:6.6
Example Output:
Advanced Usage:
- While it defaults to docker hub the endpoint will work on other public repositories:
- Designed with CI/CD in mind so it is CLI friendly.
- Example:
curl https://scan.vulnerablecontainers.org/scan?name=ubuntu:19.04
- Example:
Closing Notes:
- This is a work in process and is in EARLY beta. Please do not build this into production systems.
- The API will only work on containers built using Alpine, RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux, Debian, Ubuntu, and Photon OS.
- I have attempted to implement some caching but it may take up to 120 seconds to return results.
- I will release source code, a docker container, and a build guide after some more testing and hopefully adding more endpoints.
- Notice Something Boken? Please Let Me Know on twitter @JGamblin
