Using Vulnerability Detection Software for your Docker Projects
Contents
- What is Docker?
- Run Python Flask App with Docker
- What are Open Source Security Vulnerabilities?
What is Docker?
Docker makes it super easy for developers to create, deploy, and run applications using Docker containers. Docker lets developers containerize applications into a package containing all that is needed to run them.
You can think of a Docker container as a complete environment that can run your applications. A container can be managed using a CLI — for example, CircleCI or Docker API — or the cloud — for example, Azure or On-Premises. Docker containers can run on Windows and Linux OS.
Containerized applications use fewer resources than virtual machines as they start and stop faster, making Docker an efficient choice.
Run your Python Flask app with Docker
In the next series of steps, you will create the flask app in Python and write the requirements.txt and DockerFile. If you want to skip to the running with Docker part directly, go directly to step 4 after cloning.
Clone repository from GitHub:
git clone https://github.com/Soumi7/renovate-docker.gitcd renovate-docker
Let’s create a simple flask API and run it with Docker
- Create an app.py folder in the root folder:
from flask import Flask, request, jsonify, render_template, url_forapp = Flask(__name__)@app.route(‘/’)def home(): return ‘Hello World’@app.route(‘/predict_api’, methods=[“GET”,”POST”])def list_post(): json_body = request.get_json() predictions = 2 * json_body[0] predictions = list(predictions) return jsonify(results = predictions)if __name__ == ‘__main__’: app.run(host=’0.0.0.0',port=5000)
2. Create a Dockerfile in the root folder:
FROM python:3.6-slimCOPY ./app.py /deploy/COPY ./requirements.txt /deploy/WORKDIR /deploy/RUN pip3 install — no-cache-dir -r requirements.txtEXPOSE 80ENTRYPOINT [“python”, “app.py”]
3. Create a requirements.txt file with the dependencies, which in our simple app, is just flask:
Flask==1.1.14. Install Docker:
Remove the existing docker versions:
sudo apt-get remove docker docker-engine docker.io containerd runcInstall Docker:
sudo apt-get updatesudo apt-get install docker-ce docker-ce-cli containerd.io
You can verify the installation success by running the hello-world image:
sudo docker run hello-worldTo get a docker image:
sudo docker build -t app-test .The image is built and ready to run. We can do this using the command:
sudo docker run -p 5000:5000 app-test .Open the link in your browser. The app is running perfectly! Push all this code to a Repository on your GitHub.
What are Open Source Security Vulnerabilities?
Now that your application is built and containerized with Docker, you are ready to host it. However, you forgot about one thing! The dependencies in your application! As new versions of open source libraries get released, the older versions deprecate. These versions become vulnerable to security issues like DDoS attacks. You, as the maintainer, will have to keep, check, and update these dependencies constantly. That’s time consuming, right?
There are several developer tools to tackle open source vulnerabilities. These save time and reduce risk. Some of them include Node Security Project (NSP) which identifies threats in node.js applications, OSSIndex which covers NET/C#, Java and JavaScript, Gemnasium for python, Java, Go, and more.
For this article, I’ll be using Renovate, which identifies potential security vulnerabilities in applications. It runs in real-time to identify the latest available versions. It is available free for NPM and as a Github App for both public and private repositories.
Preservation of Version Precision
Renovate preserves the precision level laid out in the Docker images by default. If the existing image is pinned at img:1.1, Renovate will not propose upgrades to img:1.2.0 or img:1.3.0. Renovate will only propose upgrades to img:1.2 and img:1.3.
Now, lets go ahead and self host Renovate with Docker :
Create a config.js file:
module.exports = {endpoint: ‘https://api.github.com/',token: GITHUB_ACCESS_TOKEN,platform: ‘github’,logLevel: ‘debug’,onboardingConfig: {extends: [‘config:base’],},repositories: [‘Soumi7/renovate-docker’],renovateFork: true,gitAuthor: “Soumi Bardhan <soumibardhan10@gmail.com>”,username: “Soumi7”,onboarding: false,printConfig: true,requireConfig: false,};
Now before you add the access token, you will need to generate one:
Go to Settings on your GitHub profile:
From Settings, go to Developer tools:
Go to Personal access tokens:
Click on Generate new token:
Copy and save it somewhere to get back to it.
Add your details appropriately in the config.js file:
module.exports = {endpoint: ‘https://api.github.com/',token: GITHUB_ACCESS_TOKEN,platform: ‘github’,logLevel: ‘debug’,onboardingConfig: {extends: [‘config:base’],},repositories: [‘YOUR_USERNAME/YOUR_REPO_NAME],renovateFork: true,gitAuthor: “YOUR_NAME <YOUR_EMAIL_ID>”,username: “YOUR_GITHUB_USERNAME”,onboarding: false,printConfig: true,requireConfig: false,};
Now you are ready to go! You will first need to migrate your config.js. Type this in your terminal :
docker run — rm -v “/home/USER_NAME/REPO_NAME/.github/config.js:/usr/src/app/config.js” renovate/renovateThis will also pull the latest version of Renovate.
When I tried it out with my repository, this is what I did. If you are using my repository, you can use this command. Just change the paths of the config for your local system!
docker run — rm -v “/home/soumi/renovate-docker/.github/config.js:/usr/src/app/config.js” renovate/renovate:25.18.4If you mistakenly push your config to GitHub, GitHub will automatically revoke that token, and you will have to generate another one.
Voila! It is working! If any of your dependencies are not updated, a PR will be created to your GitHub repository! Here, since Renovate identifies the Dockerfile as the dependency manager, it identifies open source vulnerabilities in your Dockerfile.
That’s it! I am absolutely stoked by how easy it is to self host Renovate with Docker!
Now we will remove the Dockerfile. We only have a requirements.txt file for managing dependencies now. Don’t forget to push this change to GitHub; otherwise, the changes in the following steps will not be visible.
The flask version is 1.1.1 in the requirements.txt. Run Renovate with Docker again:
docker run — rm -v “/home/soumi/renovate-docker/.github/config.js:/usr/src/app/config.js” renovate/renovate:25.18.4Notice how the requirements file is identified as the dependency manager now. PRs will now be made to requirements.txt. Now you will see this PR created to your repository on GitHub:
This time, the PR is to update the flask version from 1.1.1 to 2.0.0.
Please leave a star on my GitHub if you found it helpful. Thanks!
