# Using WhiteSource Renovate for your Docker Projects
![](https://lh4.googleusercontent.com/6N7fngTRAmNIhJjjPhoelCjLPwjGDh2Vy-glgunKWAASgzf139ie-kqUdIlH2xfSsimCBiQ0qH7U2f9GlfGlFY6sxadRQMH_W7CHBNi0AwoCpbrF1IaYGvERaR4SPKP_ZA3O55sZ)
Photo by [Sigmund](https://unsplash.com/@sigmund?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText) on [Unsplash](https://unsplash.com/s/photos/code?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)
## What is Docker?
Docker makes it super easy for developers to create, deploy, and run applications using [Docker containers](https://www.docker.com/resources/what-container). Docker lets developers containerize applications into a package containing all that is needed to run them.
You can think of a Docker container as a complete environment that can run your applications. A container can be managed using a CLI---for example, [CircleCI](https://circleci.com/) or Docker API---or the cloud---for example, Azure or On-Premises. Docker containers can run on Windows and Linux OS.
Containerized applications use fewer resources than virtual machines as they start and stop faster, making Docker an efficient choice.
## Run your Python Flask app with Docker
In the next series of steps, you will create the flask app in Python and write the requirements.txt and Dockerfile. If you want to skip to the running with Docker part directly, go directly to step 4 after cloning.
Clone repository from GitHub:
```
git clone <https://github.com/soumi7/renovate-docker.git>
cd renovate-docker
```
Let's create a simple flask API and run it with Docker
### 1. Create an **app.py** folder in the root folder:
```
from flask import Flask, request, jsonify, render_template, url_for
app = Flask(__name__)
@app.route('/')
def home():
return 'Hello World'
@app.route('/predict_api', methods=["GET","POST"])
def list_post():
json_body = request.get_json()
predictions = 2 * json_body[0]
predictions = list(predictions)
return jsonify(results = predictions)
if __name__ == '__main__':
app.run(host='0.0.0.0',port=5000)
```
### 2. Create a **Dockerfile** in the root folder:
```
FROM python:3.6-slim
COPY ./app.py /deploy/
COPY ./requirements.txt /deploy/
WORKDIR /deploy/
RUN pip3 install --no-cache-dir -r requirements.txt
EXPOSE 80
ENTRYPOINT ["python", "app.py"]
```
### 3. Create a requirements.txt file with the dependencies, which in our simple app, is just flask:
`Flask==1.1.1`
### 4. Install Docker:
##### Remove the existing docker versions:
`sudo apt-get remove docker docker-engine docker.io containerd runc`
#### Install Docker:
```
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
```
You can **verify** the installation success by running the hello-world image:
`sudo docker run hello-world`
### 5. To get a docker image:
`sudo docker build -t app-test .`
![](https://lh6.googleusercontent.com/2LqrJ9Xgzu4v3WHrlghKajCeH4luaz3eHPOAZULaPhoRQ_paeKAZ2VpL1WSnD2sBhs4VaQxEjk24vZ8lRXkOXsLDVh7XnFnV8B6UYuvQEa1Lo6lY05cvVqKKJgtm9yPsq06T0w4D)
### 6. The image is built and ready to run. We can do this using the command:
`sudo docker run -p 5000:5000 app-test .`
![](https://lh6.googleusercontent.com/2LqrJ9Xgzu4v3WHrlghKajCeH4luaz3eHPOAZULaPhoRQ_paeKAZ2VpL1WSnD2sBhs4VaQxEjk24vZ8lRXkOXsLDVh7XnFnV8B6UYuvQEa1Lo6lY05cvVqKKJgtm9yPsq06T0w4D)
Open the link in your browser. The app is running perfectly! Push all this code to a Repository on your GitHub.
![](https://lh4.googleusercontent.com/_SGzFpBbylPVyjmM2oqC9ohZa3DQV0seocx4B1i59ieB-LIos6P3qEaI6Z4V44AOBwjDSbQVWhONfO95f2bhKi9tBqr_phbahuMD5rKMh5gQj5uK2lPGIeJb70a7weQrRf0URGCO)
## What are Open Source Security Vulnerabilities?
Now that your application is built and containerized with Docker, you are ready to host it. However, you forgot about one thing! The dependencies in your application! As new versions of open source libraries get released, the older versions deprecate. These versions become vulnerable to security issues like DDoS attacks. You, as the maintainer, will have to keep, check, and update these dependencies constantly. That's time consuming, right?
There are several developer tools to tackle open source vulnerabilities. These save time and reduce risk. Some of them include Node Security Project (NSP) which identifies threats in node.js applications, OSSIndex which covers NET/C#, Java and JavaScript, Gemnasium for python, Java, Go, and more.
For this article, I'll be using [WhiteSource Renovate](https://www.whitesourcesoftware.com/free-developer-tools/renovate/), which identifies potential security vulnerabilities in applications. It detects the level of security threats that the application presently has and suggests fixes automatically as Pull Requests on Github, for e.g. dependency updates. It identifies the dependency manager automatically and suggests major or minor changes.
Renovate continuously runs in real time to identify the latest available versions. It is available free for NPM and as a Github App for both public and private repositories.
## Self Hosting Renovate with Docker
WhiteSource Renovate is available for Docker here: [renovate/renovate](https://hub.docker.com/r/renovate/renovate/).
### How it Works
1. Renovate will search for any files matching each manager's configured fileMatch pattern(s) in each repository.
2. It parses the matching files. Renovate will check the files for any Docker image references, e.g., FROM lines in the Dockerfile.
3. If the image tag used looks like a version, Renovate will check the Docker registry for upgrades.
### Preservation of Version Precision
Renovate preserves the precision level laid out in the Docker images by default. If the existing image is pinned at `img:1.1`, Renovate will not propose upgrades to `img:1.2.0` or `img:1.3.0`. Renovate will only propose upgrades to `img:1.2` and `img:1.3`.
Now, lets go ahead and self host Renovate with Docker:
Create a `config.js` file:
```
module.exports = {
endpoint: 'https://api.github.com/',
token: GITHUB_ACCESS_TOKEN,
platform: 'github',
logLevel: 'debug',
onboardingConfig: {
extends: ['config:base'],
},
repositories: ['YOUR_USERNAME/YOUR_REPO_NAME],
renovateFork: true,
gitAuthor: "YOUR_NAME <YOUR_EMAIL_ID>",
username: "YOUR_GITHUB_USERNAME",
onboarding: false,
printConfig: true,
requireConfig: false,
};
```
Now before you add the access token, you will need to generate one:
Go to **Settings** on your GitHub profile, then go to **Developer tools** and **Personal access tokens** and finally click on **Generate new token**:
![](https://lh4.googleusercontent.com/zzYGtQIseEdO_mpU68T5GvR23pWZSii22yhCyyet7caVRw2ubLp0C7d-9m_AdbOdpEPnlgIyYl9KCA4_EeNitWMNXnMUnBFY5fkF8yB7ZEwkiWyJ_gfkd0mhDY-ZCH5uqqoXQy2D)
Copy and save it somewhere to get back to it.
Add your details appropriately in the `config.js` file:
```
module.exports = {
endpoint: 'https://api.github.com/',
token: GITHUB_ACCESS_TOKEN,
platform: 'github',
logLevel: 'debug',
onboardingConfig: {
extends: ['config:base'],
},
repositories: ['YOUR_USERNAME/YOUR_REPO_NAME],
renovateFork: true,
gitAuthor: "YOUR_NAME <YOUR_EMAIL_ID>",
username: "YOUR_GITHUB_USERNAME",
onboarding: false,
printConfig: true,
requireConfig: false,
};
```
Now you are ready to go! You will first need to migrate your `config.js`. Type this in your terminal:
```
docker run --rm -v "/home/USER_NAME/REPO_NAME/.github/config.js:/usr/src/app/config.js" renovate/renovate
```
This will also pull the latest version of Renovate.
If you mistakenly push your config to GitHub, GitHub will automatically revoke that token, and you will have to generate another one.
![](https://lh3.googleusercontent.com/1REYlP2UUh7IRbh9vEQCusjTfY6X7ywVH_QOJkczhzP_IkYXImPjGWbvRb1dih3p6ZS61QTVdhlAFMiAyesEXgfvUPEB9lTqGH5GSjynuhEJA_Qy_JUKBuQ6xSMQCHZiUbwBF7o1)
Voila! It is working! If any of your dependencies are not updated, a PR will be created to your GitHub repository! Here, since Renovate identifies the Dockerfile as the dependency manager, it identifies open source vulnerabilities in your Dockerfile.
Now we will remove the `Dockerfile`. We only have a `requirements.txt` file for managing dependencies now. Don't forget to push this change to GitHub; otherwise, the changes in the following steps will not be visible.
The flask version is 1.1.1 in the requirements.txt. Run Renovate with Docker again:
`docker run --rm -v "/home/[YOURSYSTEM]/renovate-docker/.github/config.js:/usr/src/app/config.js" renovate/renovate:25.18.4`
![](https://lh6.googleusercontent.com/NGk_qmVWy-URUinGfhLydQsV1lHD1IjkOFGlUuYvtxSsfe45DcYUcFTYcAx65uBIPV821KU0q_vhO4Z8_73-Swx6WY0EkP6WIKbQMuW6QnPKJDBHt4S-11TSq22BjoeIgs8gTYRk)
Notice how the requirements file is identified as the dependency manager now. PRs will now be made to requirements.txt. Now you will see this PR created to your repository on GitHub.
That's it! I hope this article helped.