Enable Vulnerability Scanning in Docker Hub

With our images are in Docker Hub, now we enable Vulnerability Scanning for our Repos, which will scan the images with Snyk to identify security issues present in them.

Step 1: Navigate to your Image Repo in Docker Hub

Pushing the images into Docker Hub created a Repository for each one. Image Vulnerability Scanning is enabled per Repository, and the scan status is shown in the Repository list.

Docker Hub displays the Image Scan Status

Click into any Image Repository in your Docker Hub.

Step 2: Enable Image Scanning for your Repository

Navigate to the Repository settings, then click the button to enable Vulnerability Scanning.

You need at least a Docker Hub Pro Plan to enable Vulnerability Scanning.

Enable Image Scanning in the Repo Settings

Re-push your Images to Docker Hub to perform the initial scan.

# Push the image again to scan for the first time.
docker push $DockerId/docker-goof

Back in the General tab, the Vulnerability counts now show for each tag.

Step 3: Review the Snyk Scan results in Docker Hub

How long scans take to complete depend on the size of your Container Image.

Clicking any of the numbers will take you to the Vulnerabilities section for that Image Tag.

Each vulnerability line item contains information such as its severity score, vulnerability description, CVE, the package and version that introduced it, and, if available, the package version where the vulnerability was fixed. Also find:

  • [Red] Information around how the package was introduced.

  • [Blue] A Link to the Snyk Intel Database, with more information about the Vulnerability.

Clicking the Blue icon will take you to the vulnerability in Snyk's Vulnerability Database.

Now, each time a new Image Tag is pushed to the Repository, it will be scanned and the vulnerability counts for the Tag updated. In the next section, we'll use the Docker CLI to review upgrade guidance and tackle these vulnerabilities.