Two veterans from Square, the credit-card payment system, have been helping Docker Inc. nail down container security. Their latest effort, Docker Security Scanning, is launching today as a means of verifying containers down at the binary level.
At Docker, they’ve been working on Docker Content Trust — a set of controls for using a developer’s private key as a cryptographic signature on a container. Such signatures would let IT know that a particular container image really did come from a trusted designer.
It’s being made available free, for a limited time, to the paying customers running private Docker repositories. Longer-term, they can purchase the service as an add-on to the repository they’re paying for.
Later, Docker plans to make Security Scanning available to all Docker Cloud repository customers. The company also plans to integrate the service into Docker Datacenter, the company’s container management and deployment environment.
The scanner provides “deep visibility at the binary level of what’s in their containers,” McCauley says. In other words, it’s checking the code directly, digging in at such a low level that it doesn’t matter what language or operating system the container is using.
This also means the scan can answer questions about what exactly is in a container and where it came from — things that IT sometimes likes to know after receiving these containers from developers.
The idea is to create a security scanning process that can be preventive and not purely reactive, McCauley says.
The idea isn’t unique to Docker. Black Duck Software, based in Burlington, Mass., performs a similar scan on a registry or directory. A prime application for the service is to look for vulnerabilities among the scraps of open source code that a developer assembled from various sources.
Docker Security Scanning does have a tie back to Docker Content Trust: The scan can be used to prevent containers from being deployed if they don’t have acceptable signatures on them. Docker’s interest here is to secure the “supply chain” — meaning the handoffs that happen as containers get built, shipped, and then run in production. As containers get handed off from developers to IT or other organizations, the signatures serve as proof that the containers came from a trusted source.