Vulnerability Management of Containers using OpenSource
Containers have revolutionized application development and have taken the enterprise by storm — in particular, the way they are built and scaled.
The same flexibility that makes containers useful to developers also poses many security challenges. The biggest cloud security threat facing container users is the false assumption that containers equal security.
In every container, there are naturally going to be many different and individually complex components that can all introduce security risks and vulnerabilities. As container adoption continues to grow, a strong focus on security is an absolute must.
1. Trivy
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
Installation
Installing using Home Brew
brew install aquasecurity/trivy/trivy
Install Script
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/binScan an image
trivy image knqyf263/vuln-image:1.2.3
Reference:
https://github.com/aquasecurity/trivy
2. Snyk
With Snyk, you can test, monitor, and protect your container images directly from the CLI.
Installation
Installing using Home Brew
brew install snyk
Install the Snyk CLI with npm
npm install -g snykScan an image
snyk test --docker ubuntu:latest
snyk test --docker ubuntu:latest --file=Dockerfile
snyk monitor --docker ubuntu:latest --file=Dockerfile
3. Anchore
The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images.
Installation
apt-get install python-pip python-rpm yum -ygit clone https://github.com/anchore/anchore.git
cd anchore/
pip install --upgrade --user .
export PATH=~/.local/bin:$PATHCoolScan an image
anchore --help
anchore feeds list
anchore feeds sync
anchore analyze --image hmlio/vaas-cve-2014-6271
anchore audit --image hmlio/vaas-cve-2014-6271 report
anchore query --image hmlio/vaas-cve-2014-6271 has-package curl wget
anchore query --image hmlio/vaas-cve-2014-6271 list-files-detail all
anchore query --image hmlio/vaas-cve-2014-6271 cve-scan all
anchore toolbox --image hmlio/vaas-cve-2014-6271 show
Scanning an Image
querying the results
4. Clair
Clair is an open-source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).
Installation
curl -OL https://raw.githubusercontent.com/coreos/clair/master/contrib/compose/docker-compose.yml
mkdir clair_config && curl -L
https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o clair_config/config.yaml
sed 's/clair-git:latest/clair:v2.0.1/' -i docker-compose.yml && \
sed 's/host=localhost/host=postgres password=password/' -i clair_config/config.yaml
docker-compose up -d postgres
curl -LO https://gist.githubusercontent.com/BenHall/34ae4e6129d81f871e353c63b6a869a7/raw/5818fba954b0b00352d07771fabab6b9daba5510/clair.sql
docker run -it \
-v $(pwd):/sql/ \
--network clair_default \
--link clair_postgres:clair_postgres \
postgres:latest \
bash -c "PGPASSWORD=password psql -h clair_postgres -U postgres < /sql/clair.sql"
docker-compose up -d clair
curl -L https://github.com/optiopay/klar/releases/download/v1.5/klar-1.5-linux-amd64 -o /usr/local/bin/klar && chmod +x $_Scan an image
CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 JSON_OUTPUT=true klar mysql:latest | jq
5. Dagda
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
Installation
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
https://github.com/eliasgranderubio/dagda.git
cd dagda && sudo pip3 install -r requirements.txt
docker pull mongo
docker run -d -p 27017:27017 mongo
apt-get -y install linux-headers-$(uname -r)Scan an Image
python3 dagda.py start -d
export DAGDA_HOST='127.0.0.1'
export DAGDA_PORT=5000
python3 dagda.py vuln --init
python3 dagda.py vuln --init_status
python3 dagda.py check --docker_image jboss/wildfly
python3 dagda.py docker events
6. Continuous Container Security in the CI/CD
Security has traditionally been a separate process implemented by a different team. And as DevOps move quickly to deploy containers with a continuous integration and delivery (CI/CD) pipeline, security should be a forethought instead of an afterthought. This can be achieved by automating container security scans in the CI/CD pipelines at the speed of DevOps.
You can use any of the open-source tools listed above and integrate them into your CI/CD pipeline to scan the images and identify vulnerabilities even before they become vulnerabilities.
You can achieve this during the build phase by scanning the image after it is built and fail any builds that have fixable vulnerabilities and notify the team responsible. After remediation, rescan and allow the build to be pushed into our registry.
In the below image, after the Build Docker task, we have invoked Image security scanning task where the image built in the Build Docker image task has been scanned for vulnerabilities and eventually the build is failed as vulnerabilities have been identified.
If you rescan the image after fixing/patching the discovered vulnerabilities or if the image is free from vulnerabilities the Image security scanning task will be successful and the Image will be pushed into the repository which can be used in deployment.
The container is only as secure as the code that runs in it and as the infrastructure, it runs on. In addition to container images and the applications within them, containers themselves can potentially become security issues.
One of the more serious concerns arises when the container runtimes that launch and manage containers — software such as containerd, CRI-O, and rkt themselves contain vulnerabilities.
In another post, I will be discussing the best docker security practices to secure your Docker Infrastructure