Docker Scout's general availability for software supply chain security led a trio of additions to Docker's product line this week as the company moved to bolster its products' appeal beyond developer workstations.
Users can deploy Docker Scout with Docker Desktop, Docker Hub container image registry or Docker's command line interface. The product replaces a previous open source utility, Docker Scan, which drew on partner Snyk's container image security scans, with Docker's own event-driven vulnerability detection system. That system takes a layer-by-layer view of container images and their dependencies and then surfaces them in a dashboard that prioritizes risks and offers developers remediation advice.
Updates to Docker products this week also included new cloud infrastructure support for the Docker Build container image builder tool and a new Docker Debug product, which pulls together multiple language-specific tools for debugging containerized apps into a centralized workflow. The Docker Build update lets developer teams offload container image building to cloud servers to speed up performance and reduce delays in the development process. The feature is multi-tenant for now, but support for enterprise virtual private clouds is on the near-term roadmap, according to Docker officials.
All these updates, particularly Docker Build, are part of an overarching effort to expand the value of Docker's developer tools beyond local workstations -- an effort the company calls "local plus cloud."
"They've been seen as a laptop tool," said Rob Strechay, lead analyst for enterprise tech media company TheCube. "Local plus Cloud helps them break out of that."
The updated Docker Build also allows for team-level build caching and offline support. Docker Debug can save developers' time spent on configuring debug tools. All are especially valuable features for organizations without the resources to build out their own internal developer platforms, said Larry Carvalho, an independent analyst at Robust Cloud.
"All the pieces are tested to work together rather than the DIY model, which each enterprise is doing themselves, where they have their own team sitting down and having to debug the lifecycle tools and keep improving them," he said. "Unless you're a very, very large company with 1,000 developers, that doesn't make sense."
Docker Scout overhauls software supply chain security
Docker Scout was first released as an early preview with Docker Desktop 4.17 earlier this year, followed by an update in Docker Desktop 4.18. Early access users of Docker Scout said the tool has bolstered software supply chain security practices for development teams without requiring disruptive changes to the tools they already use.
"The DevOps team at JW Player didn't need to spend countless engineering hours updating pipelines on behalf of our engineering teams," said Stewart Powell, engineering manager at JW Player, a video hosting company in New York. "Conversely, we didn't need to wait weeks or months for other engineering teams to have bandwidth to implement changes on our behalf. We simply went into Docker Hub, enabled Scout by checking a box and were done."
JW Player is a longtime user of Docker Desktop among its team of about 100 developers and has deployed Docker Scout on some 300 Docker Hub repositories, Powell said.
Docker Scan required full container image scans to pinpoint new vulnerabilities, but Docker Scout can automatically flag new vulnerabilities without repeating scans, said Mohammad-Ali A'râbi, senior backend engineer at Jodel, a social media company in Berlin. Jodel's 10 developers use the free tier of Docker Desktop.
Docker Scout also takes a more modular approach to vulnerability scanning, A'râbi said.
"First you have SBOMs [software bill of materials] generated from your image … and you can generate it any way you see fit. You can let Docker generate this or another tool to generate this SBOM at the build stage," he said. "Also, [when] checking these SBOMs for vulnerabilities, you can also use other tools for that part."
Tools supported with Docker Scout at launch for vulnerability scanning and SBOM generation include Sysdig, JFrog Artifactory, Amazon Elastic Container Registry (ECR), BastionZero, GitHub, GitLab, CircleCI and Jenkins. Snyk scans remain available as a Docker Extension.
Another industry expert who tested out early versions of Scout said it has improved significantly through its early releases and is among the most effective container security tools available.
"Really impressed with the results of Docker Scout for CVE scanning," wrote Dan Lorenc, CEO and co-founder of container software supply chain security vendor Chainguard, in a public post last week. Chainguard does not have a formal partnership with Docker but can be integrated with Docker products through a Docker Extension. "I've been monitoring the results against Aqua Trivy and Grype for a while now, and Scout is getting really good at removing false positives," he wrote.
In a separate online interview, Lorenc said Docker Scout's vulnerability indexing appears to be an early differentiator for the tool.
"They're doing a lot of their own indexing on vulnerabilities to build a better database and have some great tooling for figuring out what content is in the image to scan against," Lorenc said. "It's not [open source], so it's hard for me to say why it works so well, but the results are definitely there. It's also improved a lot in the last few months."
The generally available version of Docker Scout also adds new features to what had been available in preview releases, including security policy valuations, Sysdig runtime monitoring for containers in production, support for JFrog Artifactory and Amazon ECR container registries, and code signing and verification.
Docker Scout replaces open source, adds value
Docker Scout follows a pattern by Docker over the last two years that replaced free and open source tools with proprietary and commercial ones as the company has sought to boost its revenue growth. Docker Scan, an unlimited, free open source utility, is replaced with the Docker Scout free tier, with support up to three repositories. A Scout Team subscription costs $9 per repository per month.
Stewart Powell Engineering manager, JW Player
Similar recent moves by Docker, such as deprecating its Free Team subscription earlier this year, have ruffled feathers in the open source community. But the shift from Scan to Scout is unlikely to have a significant ripple effect, according to industry experts.
"Docker Scan still only allowed 10 free scans per month, and for more, you had to have a Snyk account because it ran on their engine," said Katie Norton, an analyst at IDC. "I think the real consideration here is just that the tool is natively integrated. And for anyone who is using Docker products, this provides a more frictionless experience when it comes to integrating security into development workflows."
Enterprises have a number of free and open source software supply chain security tools to choose from if cost is a major consideration, such as Aqua's Trivy or Grype, which Docker Scout can integrate with. The real value of the tool is its integration into developers' existing experience, Carvalho said.
"Unless you are really off the open source bandwagon, [enterprises will] pay a small amount to get the subscription and get a supported version," he said. "They're not going to worry about whether it's open source unless they stop seeing innovation."
In addition to Scout's free tier, Scout's local image analysis is free. Docker is also offering Scout at no cost to Docker-Supported Open Source publishers. It also adds SBOMs and signed attestations to Docker Official Images, a curated set of Docker repositories hosted on Docker Hub, regardless of whether their creators are commercial customers of Docker.
In the meantime, commercial customer JW Player would like to see the Docker Scout roadmap include notifications and alerts through other existing developer tools, such as Slack and Jira, Powell said.
Overall, that roadmap looks promising, Norton said.
"Docker continues to build out functionality focused on the developer experience, and that is a key trend and need at organizations today," she said. "Organizations that have gone through layoffs often need to do more with less and need to keep the development talent they do have."
Docker's long-term challenges
Docker underwent rapid growth in 2022 after it made changes to Docker Desktop pricing, going from a $12 million to $100 million run rate in less than a year, following the company's bifurcation and restructuring in 2019. The company now has 20 million monthly active developer users and a healthy base of commercial customers, according to CEO Scott Johnston.
"We now have over 79,000 commercial customers across every industry vertical," Johnston said in an interview with TechTarget Editorial last week. "They're using Docker Desktop trusted images for their inner loop development."
However, Docker still faces questions about sustaining its growth long-term and how it can remain competitive against cloud-based tools, according to Strechay.
"Everybody I know starts [development] with a Docker image … and then it gets to a point where you can't run it on your laptop anymore, and you have to go to cloud," he said. "[With these new features, Docker is] trying to say, 'OK, we'll help get you to the cloud so you don't have to move into somebody else's CI/CD pipeline.'"
But it remains to be seen how Docker's new additions will stand up to the likes of GitHub, GitHub Actions and the major cloud providers in this realm, Strechay said.
A'râbi is cautious as well. "We have Trivy in our CI pipelines, mostly because it's open source and we don't have to pay for it. The CI part is still a bit too early to decide how valuable [Docker Scout] would be. But for the earliest development stage, before you push your image to your repository for a third party to pick it up and scan it, Docker Scout will be a great help."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.