docker: 'scan' is not a docker command. on the latest Docker Engine

[PeterDaveHello]

Description

docker: 'scan' is not a docker command. on the latest Docker Engine.

According to the release notes, I believe that I'm using the latest version - 20.10.7, which should have the scan feature.
(https://docs.docker.com/engine/release-notes/)

(My Docker Engine was install using the convenience script)

Steps to reproduce the issue:

• Run docker scan command with any Docker image

Describe the results you received:

$ docker scan peterdavehello/ipinfo.tw
docker: 'scan' is not a docker command.
See 'docker --help'

Describe the results you expected:

Something like https://github.com/docker/scan-cli-plugin#scanning

$  docker scan hello-world

  Testing hello-world...

  Organization:      docker-desktop-test
  Package manager:   linux
  Project name:      docker-image|hello-world
  Docker image:      hello-world
  Licenses:          enabled

  ✓ Tested 0 dependencies for known issues, no vulnerable paths found.

  Note that we do not currently have vulnerability data for your image.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

$ docker version
Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:40 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:48 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)

Server:
 Containers: 9
  Running: 0
  Paused: 0
  Stopped: 9
 Images: 341
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-144-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.79GiB
 Name: workstation12
 ID: 3WT3:ZXLV:5WVD:4WQY:LYPB:HU3B:SNKK:UH4X:WX53:OYER:JO6Z:J43K
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: peterdavehello
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

It's on a VMware virtual machine, though I think it's not related.

[thaJeztah]

The scan plugin is packaged in a separate package (docker-scan-plugin); depending on "how" you installed, it may not have been installed (as it's an "optional" dependency); can you try apt-get update && apt-get install docker-scan-plugin ?

[PeterDaveHello]

Hi @thaJeztah, you're right, I misunderstood that I thought it just need the latest Docker engine installed 😅

[PeterDaveHello]

Confirmed that install docker-scan-plugin package on Ubuntu resolved this issue, also confirmed that docker-scan-plugin package is not included in the convenience install script, not sure it should be added?

[PeterDaveHello]

Looks like the package is also not mentioned in the install process unless I missed something.

[thaJeztah]

Good point, yes we need to update the docs; we made changes to the install script on get.docker.com to automatically install it. For RPM-based distros (CentOS, Fedora), the plugin is always installed (as RPM's don't have a concept of "optional" dependencies).

For deb based distro's, the plugin is installed as an optional dependency, but currently is not yet available for non-x86 platforms (so we'll have to take that into account for the install docs).

[PeterDaveHello]

Looks like I can:

1. Send a PR to https://github.com/docker/docker-install, to add docker-scan-plugin automatically installed for x86 platform
2. Send a PR to https://github.com/docker/scan-cli-plugin, to mention that for deb based distros, it's not yet available for non-x86 platforms
3. Send a PR to https://github.com/docker/docker.github.io/blob/master/engine/install/ubuntu.md, to also add docker-scan-plugin related info in the docs

Does above looks correct?

[thaJeztah]

1. should already be taken care of by docker/docker-install#235

For 2.: yes, I think that would be useful 👍
For 3.: yes, that's needed; probably should be in a separate "install the docker-scan plugin (optional)" (e.g.) section. The same changes would be needed both for the "ubuntu" and "debian" pages.

[alberduris]

What about Amazon Linux AMI instances?

sudo yum install docker-scan-plugin

just returns

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                                                                 | 3.7 kB  00:00:00     
No package docker-scan-plugin available.

[thaJeztah]

Docker currently doesn't provide packages for Amazon Linux (the docker packages for amazon linux are built by Amazon); probably best way is to open a feature request with Amazon, or download a static binary from the github releases on this repository, as outlined in the readme; https://github.com/docker/scan-cli-plugin#on-linux

[nroose]

Any thoughts on how to get scan on a dind container?

[thaJeztah]

for docker in docker, You can download a binary from the github releases page on this repo; https://github.com/docker/scan-cli-plugin/releases/tag/v0.8.0

[PeterDaveHello]

Hi @thaJeztah,

I'm preparing the PR we mentioned before, just want to make sure that the x86 should actually be amd64, right? I checked the packages here: https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/, looks like amd64 is the only arch having the package, and there is no any package for i386 arch.

[PeterDaveHello]

Though some facts had been changed, @thaJeztah do you have a moment to take a look, and help review #171? Thanks.

[georgegoldman]

sudo zypper in docker-scan-plugin
[sudo] password for root:
Loading repository data...
Reading installed packages...
Package 'docker-scan-plugin' not found.
Resolving package dependencies...
Nothing to do.

[georgegoldman]

am having issues too.