Docker, looking to further strengthen its security chops, released Tuesday a version of its container runtime and platform that implements several features to eliminate application-level vulnerabilities and proactively manage risk throughout the development process.
Among the additions, Docker 1.11 introduces Security Scanning, a tool enabling a bottom-up analysis of all code in the container image that can keep security gaps from being deployed into production environments, said Nathan McCauley, Docker's director of security.
"The general goal is to help organizations with the problem of known vulnerable software within their images," McCauley told CRN. "We're really focused on secure content."
Security has been raised as a potential liability with Docker's container standard, and recent upgrades to the platform have made strides to harden containers and the process of deploying them throughout the software development process and supply chain.
Docker Inc., the San Francisco-based commercial entity behind the open-source software, follows a typically two-month release cadence. The previous release, Version 1.10, introduced a feature that allowed configuration of privileges that were behind root-level vulnerabilities.
The latest release updates Docker Bench, a script that implements best security practices, with guidelines from the Center for Internet Security.
The Security Scanning service was designed to integrate the solution across the development and operational workflow. Images can be signed by "trusted signers," McCauley said, and "no untrusted code can even enter the workflow."
"If a new vulnerability gets added, that triggers an update in the Security Scanning solution that will send a notification to the owner of any image that is vulnerable," McCauley said.
In that eventuality, the workflow goes back to the developers, who can rebuild and rescan the image, check if the vulnerability has been remediated, and then deploy the application.
Security Scanning will be available for a while on a free-trial basis for customers of the Docker Cloud repository, and will soon be integrated into Docker Datacenter, a Container-as-a-Service suite.