Back in Chapter 3, Storing and Distributing Images, we looked at Quay, an image registry service by CoreOS. One thing we didn't touch upon is that Quay actually performs a security scan of each image after it is push/built.

You can see the results of the scan by viewing the Repository Tags for your chosen image; here you will see a column for Security Scan. As you can see from the following screenshot, in the example image we created, there are no problems:

Clicking on where it says Passed will take you to a more detailed breakdown of any vulnerabilities that have been detected within the image. As there are no vulnerabilities at the moment (which is a good thing), this screen does not tell us much. However, clicking on the Package icon in the left-hand menu will present us with a list of the packages the scan has discovered. For our test image, it has found 13 packages with no vulnerabilities, all of which are displayed here along with confirmation of the version of the package and how they were introduced to the image.

As you can also see, Quay is scanning our publicly available image, which is being hosted on the free-of-charge open source plan Quay offers. Security scanning comes as standard with all plans on Quay; like the Docker image scanning service, it uses static analysis.

For more information on Quay, see https://quay.io/.