Today at DockerCon, Docker has announced the General Availability of Docker Scout. With the integration of Sysdig Runtime Insights, Docker Scout helps developers prioritize risk. This will significantly improve software supply chain security. Let's find out why.

A top priority in the attempt to harden the supply chain is to focus on the containers' security. We've recently examined Wolfi the Linux Unidistro which works by releasing container images
already provided with signing and sensible defaults.

Docker has taken an alternative approach by introducing Docker Scout as the replacement of the legacy 'docker scan'.
With 'docker scan' you would manually vet your image for vulnerabilities; Docker Scout however has ditched the old-fashioned manual and scheduled scans behind and instead it embraces a modern event-driven model.

That is, if a new vulnerability affecting your images is announced, Scout shows the updated risk within seconds. Its always alert, updating vulnerability info from 17+ sources in real time and this data is compared with your Software Bill of Materials for up-to-the-minute accuracy.

It goes without saying that this model is far ahead of its predecessor in getting valuable feedback immediately upon
pushing your images them to a monitored repository, therefore spotting and fixing vulnerabilities without the wait.

This gets even better now with Docker joining Sysdig and integrating Sysdig Runtime Insights into Docker Scout.
This combination adds additional layers of runtime security that bring better visibility while empowering development and security teams to target real, imminent risk.

Runtime insights help prioritize the most critical security risks by focusing on what’s in use, since containers include packages to accommodate potential dependencies that are never used, so that developers can focus on delivering software and the security teams free to focus on other demands.

At a high level, this merging holds distinct benefits:

• Ship more secure images: Developers can compare images during the build phase with those running in production to easily identify risk, eliminate unnecessary packages, and build leaner container images with a smaller attack surface. Integration with the Docker Build and Push GitHub Action provide insight directly within GitHub to avoid committing risky images.
• Avoid shift-left security gaps: Shift-left security empowers teams to make better-informed decisions earlier in the development process. With Docker and Sysdig, it is possible to correlate image analysis with runtime context to generate actionable insights for securing the software supply chain.
• Accelerate cloud-native application delivery: Software validation processes are faster when informed by Sysdig runtime insights. By quickly identifying imminent risks that require immediate remediation, developers can focus on innovation and deliver cloud-native applications faster.
• Reduce monitoring noise: Joint customers can reduce monitoring noise by up to 95%, separating which vulnerabilities are in use and which are not. This helps security teams focus on what is most important and saves time for developers.

In one sentence the above can be condensed to :

Incorporating Sysdig runtime insights means that users can save time by focusing on the real risks exposed in production.

Security of software supply chain has just upped its game to a whole new level.

More Information

Using Runtime Insights with Docker Scout to Prioritize Vulnerabilities 

Related Articles

Happy Birthday To Wolfi Linux Undistro