# 扫描本地镜像
docker scan <image-name>
# 扫描时显示详细漏洞信息
docker scan --severity high <image-name>
# 排除特定漏洞(根据CVE编号)
docker scan --exclude-base --severity high <image-name>
# 安装Trivy (Linux/macOS)
brew install aquasecurity/trivy/trivy # macOS
sudo apt-get install trivy # Debian/Ubuntu
# 扫描镜像
trivy image <image-name>
# 只显示高危漏洞
trivy image --severity HIGH,CRITICAL <image-name>
# 生成JSON格式报告
trivy image -f json -o results.json <image-name>
# 使用Clair扫描
docker run -d --name clair -p 6060-6061:6060-6061 quay.io/projectquay/clair:latest
# 使用clair-scanner进行扫描
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/clair-scanner:/clair-scanner \
objectifrais/clair-scanner \
--clair="http://<clair-server>:6060" --ip=<host-ip> <image-name>
# 1. 检查基础镜像更新
docker pull <base-image>:latest
# 2. 重建Dockerfile使用更新后的基础镜像
FROM <base-image>:<updated-version>
# 在Dockerfile中添加更新命令
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
# 查找包含漏洞的软件包
docker exec -it <container-id> dpkg -l | grep <vulnerable-package>
# 在容器内更新特定软件包
docker exec -it <container-id> apt-get update && apt-get install --only-upgrade <package-name>
# 使用多阶段构建减少攻击面
FROM golang:1.16 as builder
WORKDIR /app
COPY . .
RUN go build -o myapp
FROM alpine:latest
WORKDIR /root/
COPY --from=builder /app/myapp .
CMD ["./myapp"]
# 创建非root用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
# 启用内容信任
export DOCKER_CONTENT_TRUST=1
# 限制容器资源
docker run --memory=512m --cpus=1 <image-name>
name: Docker Image Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build Docker image
run: docker build -t myapp .
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp
format: 'table'
exit-code: '1'
severity: 'HIGH,CRITICAL'
# 每周扫描所有运行中的容器
0 0 * * 0 docker ps -q | xargs -L1 docker scan
通过以上方法和工具,您可以系统地识别和修复Docker容器中的安全漏洞,显著提高容器环境的安全性。