Skip to main content

Checkmarx Docker Desktop Extension

Overview

The Checkmarx Docker Desktop Extension helps you to strengthen the security posture of your Docker images by taking a proactive approach to safeguarding against vulnerabilities and aligning with industry best practices for secure containerization. This tool offers robust features such as comprehensive scanning, package inspection, and vulnerability assessment. It leverages Checkmarx proprietary database to provide users with valuable insights and recommendations for protecting images against potential security threats and maintaining the integrity of their containerized environments.

Main Features

  • Free tool

    • No Checkmarx account required

      Notice

      Soon we will be adding additional Premium features, which will be available specifically for Checkmarx customers.

  • Image scanning

    • Scan local Docker images

    • View a detailed breakdown of image layers

  • Package inspection

    • Inspect packages that are installed within your Docker images

  • Vulnerability assessment

    • Identify vulnerabilities associated with packages within your Docker images

  • Recommendations and remediation (Premium feature, COMING SOON)

    • Receive suggestions and recommendations for remediating identified vulnerabilities

Requirements

Verify that your system meets the following specifications in order to ensure optimal performance:

  • Operatingsystem compatibility

    • amd64: Windows, Linux, MacOS

    • arm64: MacOS M1

  • Docker compatibility

    • Docker Desktop version 4.26 and above

  • Resource requirements

    • Minimum 200MB disk space for the image to run

    • Minimum 8GB RAM

Supported Package Managers

Installing the Extension

To install the extension:

  1. In your Docker Desktop console, click on + Add Extensions and search for the Checkmarx extension.

  2. Click Install.

    Image 552.png

  3. Follow on-screen prompts to complete the installation process.

    The Checkmarx extension is installed and the icon is shown in the Extensions section of the navigation pane.

    Image 554.png

Scanning Images

You can scan any image that you have in your Docker Desktop in order to get detailed information about its open source packages and the risks associated with those packages.

Notice

The extension stores scan results, so that if an image hasn’t been changed since the last scan, the results from that scan are shown and no new scan is initiated.

To scan an image and view results:

  1. In the navigation pane, click on the Checkmarx extension.

    The Checkmarx screen opens.

    Image 555.png

  2. Click on the Select images field and select an image from the drop-down list.

  3. Click on the Scan Image button.

    When the scan completes, the results are shown. The initial view shows the Summary tab. You can view additional details in the Packages and Vulnerabilities tabs.

    Image 562.png

Viewing Scan Results

After scanning an image, the results screen is shown. There are two main sections:

Image & Layers

This pane shows a separate section for each build stage showing all layers within that stage, as well as the ALL section that includes all layers. Next to each item an icon indicates the overall risk level for that item.

This section serves as a navigation pane for the details tabs. When All is selected, all results are shown in the Vulnerabilities and Packages tabs. When a specific layer is selected, the Vulnerabilities and Packages tabs are filtered to show only results for that layer.

Image 559.png

Details Tabs

Summary Tab

This tab shows a summary of the number of vulnerabilities, broken down by severity, identified in each build stage as well as for the overall image.

Note

This display isn’t affected by the selection made in the Image & Layers section.

Image 560.png

Vulnerabilities Tab

This tab shows the vulnerabilities identified in each package. Click on a package to show the associated vulnerabilities. Drill-down further to see details about each vulnerability.

Notice

Use the search field at the top right to search by CVE or package name. Results are filtered as you type.

Image 563.png

Packages Tab

This tab shows a list of packages that were identified. Click on a package to show detailed information about the package.

Notice

Use the search field at the top right to search by package name. Results are filtered as you type.

Image 565.png
In this section: