What's really inside your docker containers?

very usefull and thank you for making this video

I am happy to see some of my images that run go apps have zero vulnerabilities according to grype where as others that use bigger, lets say more feature rich base images not so, er, well, some vulnerabilities there then, ahem.

So there is a lot to be said for small containers running go, rust, ( insert here other compiled and perhaps statically compiled ) that use base images that are as minimal as possible if you want them to 'stay young and beautiful'.

This video should be on the watch list of every DevSecOps engineer, good job!

Hello @dreamsofcode this is already new feature in Docker under function Docker Scout, am I right?

Thank you. Would definitely like to see how to integrate with CI/CD

It'd be really cool if you could dive deep into how containers work under the hood

which DE are you using ?

Is there any pros of using snyft+grype against snyk or trivy, for example?

Great video, I recently discover your channel and I've learn a lot from you.. May I ask you, what zsh theme are you using? Greatings from Cuba 💪🏼

This is incredibly well made! Graphics, script, everything!

C++ Neovim with clangd pls!

But these issues weren't about the docker rather the OS or software that being used. Also, using docker, opens up the opportunity to scan the OS, which it wasn't the case back in the day we just trust the server provider's OS without even scanning or ability to modify it as easy as docker Images.

thanks for sharing the scanning tools though.

Are you thinking of creating a container with your setup in it?

what desktop environment do you use ? (I know arch btw, whats the de)

But i don't know why

I love you man

Is this more applicable to container maintainers or to admins deploying a container? You should vet containers you're going to deploy, but having to update dependencies/packages yourself before deploying seems too much. Even though I just started working professionally, I prefere setting up VMs and applications up from scratch. Repos for newer versions etc. in hindsight it might be just as much work

Would have been cool to include Dive and anything similar to that in this also

When video about Arch ?

Fantastic video!! Would be awesome to see a continuation on how to integrate that within a deployment process! Thanks a lot for the content 💪🏼

Awesome video. Thank you!

Another great video. On top of that I'd add I am observed variations in container scanner results. Remember that scanners are based on database of vulnerabilities and some of them update more frequent than others, or simple, has a different logic when scanning. Having said that I'd encourage pick the top 3 free scanners out there (Trivy, Grype, Snyk) and double check your scanning results. (you can build a Python script to consolidate the scanning and even build into a pipeline).

The reason why these discrepancies are common relies in the fact how scanners logic runs. I've been found earlier that Snyk doesn't work well with stripped binaries on containers (for instance, when the container builder decided to remove some metadata of the container in order to make it reduce the size of the image).

@Dreams of Code ... awesome material ... I'd improve this video in the future using Trivy instead Grype since Trivy scans secrets along with the process of containers scanning. =)

Thanks a lot, once again! I really love your introductions to different tools! And your animations are amazing, as always!
Personally, I find that the short sound effects you added detract a bit from what you are saying and I'm glad you didn't use them as much after the intro. (Just wanted to let you know in case you plan to add them to the rest of the video as well... but then again, perhaps it's just me. :-)

Thanks for this video. I need to scan my containers 😅

Yup, this is not surprising to me at all. This is what happens when you take the responsibility of updating core OS components, libraries, and other parts of the environment away from the distro maintainers and sysadmins who are quite security conscious, and give that responsibility to the application developers who are not. The developers would rather just use something that they know works instead of updating.

Software packaging is an unsolved problem - perhaps an unsolvable problem. Whenever people tell you that containers are the be-all and end-all of software packaging, remember that there is no such thing, only trade-offs.

Fantastic video! Thank you! It is very eye opening to scan through my images!

Hey my eyes are paining😢 when was java configuration is coming😢😢please atleast tell me the date..

😢😢reply😢

My containers are completely 100% safe
- Me, 2023, running a couple of containers in --privileged mode

Amazing video

I want your wallpaper

❤high quality videos as always

Which Desktop Environment you use on arch ?

Just upgrading to the latest version brings in new features that must add new vulnerabilities. This is like sticking your head in the sand and then claiming you are now far away from the beach.

Very nice video.

But to play devils advocate here: "An image has components with vulnerabilities" is not the same as "An image is exploitable". Many of the vulnerabilities, even those categorized as HIGH, are not exploitable in practice. So while the 87% sound very very bad, it does in no way mean that 87% of the images can actually be exploited in the field if they are deployed. (Assuming that the 87% is just counting images that have components with vulnerabilities.)

This of course doesn't mean we should just ignore vulnerabilities. The scanners are very useful and should probably be used by pretty much anyone. I'm just saying that things are often not as bad in practice

Fantastic video! Waiting on the video with build automation!

THE THUMBNAIL IS JUST 🤌✨

Each time I see one of your videos I try to make my terminal closer to yours. 😂😂
The bar of the bottom of the terminal is an ohmyzsh plugin?

This is the way 🦾

Man, your videos are so good!

Good video, I really liked the topic. I use docker all the time and did not know this was that much of an issue

I really like the way your videos are made but the topic was not that interesting