docker, apache log4j2,

Scan Docker images for Apache Log4j2 vulnerability

Dec 20, 2021 · 1 min read · Post a comment

Docker Hub already announced public Log4jShell detection which is now live on Docker Official Images. But for those of you who are still using some old or custom images, there is a way to scan your Docker Images for Apache Log4j2 vulnerability. Let’s see how can you do it.


  • Docker
  • sudo privileges


Step 1. Before using the docker scan tool you should update your docker version to the latest cause versions earlier than v0.11.0 do not detect Log4j 2.

  • To update Docker on Debian-based distros, run:
    sudo apt-get update && apt-get install docker-scan-plugin
  • To update Docker on RHEL-based distros, run:
    sudo yum install docker-scan-plugin

Otherwise, you can download the docker scan binaries from the official GitHub repo.

Step 2. To verify the docker scan version, run:

sudo docker scan --accept-license --version


Version     v0.12.0
Git commit  2085cc0
Provider:   Snyk

If the output has string like ORGAPACHELOGGINGLOG4J probably your code is affected by Apache Log4j2 vulnerability.

Step 3. Now, I’m going to give you an example how to scan existing Docker images, for instance the hello-world image.

sudo docker scan hello-world


Testing hello-world

Organization:     docker-test
Package manager:  linux
Project name:     docker image|hello-world
Licenses:         enabled

Tested 0 dependencies for known issues, no vulnerable paths found.

Step 4. To get a detailed scan report for your custom Docker image use the following syntax:

sudo docker scan --file DOCKERFILE_PATH DOCKER_IMAGE


The most valuable advice is to update the Docker version and keep up to date your images. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.