Docker Hub already announced public Log4jShell detection which is now live on Docker Official Images. But for those of you who are still using some old or custom images, there is a way to scan your Docker Images for Apache Log4j2 vulnerability. Let’s see how can you do it.
- sudo privileges
Step 1. Before using the docker scan tool you should update your docker version to the latest cause versions earlier than
v0.11.0 do not detect Log4j 2.
- To update Docker on Debian-based distros, run:
sudo apt-get update && apt-get install docker-scan-plugin
- To update Docker on RHEL-based distros, run:
sudo yum install docker-scan-plugin
Otherwise, you can download the
docker scan binaries from the official GitHub repo.
Step 2. To verify the
docker scan version, run:
sudo docker scan --accept-license --version
Version v0.12.0 Git commit 2085cc0 Provider: Snyk
If the output has string like
ORGAPACHELOGGINGLOG4J probably your code is affected by Apache Log4j2 vulnerability.
Step 3. Now, I’m going to give you an example how to scan existing Docker images, for instance the
sudo docker scan hello-world
Testing hello-world Organization: docker-test Package manager: linux Project name: docker image|hello-world Licenses: enabled Tested 0 dependencies for known issues, no vulnerable paths found.
Step 4. To get a detailed scan report for your custom Docker image use the following syntax:
sudo docker scan --file DOCKERFILE_PATH DOCKER_IMAGE
The most valuable advice is to update the Docker version and keep up to date your images. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.