On-Demand Container Scanning API

Last summer I launched vulnerablecontainers.org to help shed light on the number of vulnerabilities in the 1,000 most popular containers on docker hub.  While it was an interesting project, right after I launched the project I had multiple people ask if it was able to scan other public containers. Initially, it wasn’t but I wanted to offer the ability, so over the last two weeks, I decided to not sleep and built my first API that I am publicly releasing today.  

scan.vulnerablecontainers.org is an open python API built using TrivyFlask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming). From the start, I designed it to be easy to use in the browser or on the command line for integration with CI/CD.

Trivy Scan Report

The most useful endpoint provides a trivy report of all opened vulnerabilities for the container and is available at: 
https://scan.vulnerablecontainers.org/scan?name=

Usage Example:
https://scan.vulnerablecontainers.org/scan?name=centos:6.6

Example Output:

CVE List

This endpoint provides a list of open CVEs on the container and is available at:
https://scan.vulnerablecontainers.org/cves?name=

Usage Example:
https://scan.vulnerablecontainers.org/cves?name=centos:6.6

Example Output:

Advanced Usage:

Closing Notes:

  • This is a work in process and is in EARLY beta.  Please do not build this into production systems.
  • The API will only work on containers built using Alpine, RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux, Debian, Ubuntu, and Photon OS.
  • I have attempted to implement some caching but it may take up to 120 seconds to return results.
  • I will release source code, a docker container, and a build guide after some more testing and hopefully adding more endpoints.
  • Notice Something Boken? Please Let Me Know on twitter @JGamblin

Site Footer

Sliding Sidebar