• vasant kumar chinnipilli

Vulnerability Management of Containers using OpenSource

Containers have revolutionized application development and have taken the enterprise by storm — in particular, the way they are built and scaled.

The same flexibility that makes containers useful to developers also poses many security challenges. The biggest cloud security threat facing container users is the false assumption that containers equal security.

In every container, there are naturally going to be many different and individually complex components that can all introduce security risks and vulnerabilities. As container adoption continues to grow, a strong focus on security is an absolute must.

1. Trivy

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.


Installing using Home Brew
brew install aquasecurity/trivy/trivy

Install Script
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin

Scan an image

trivy image knqyf263/vuln-image:1.2.3



2. Snyk

With Snyk, you can test, monitor, and protect your container images directly from the CLI.


Installing using Home Brew
brew install snyk

Install the Snyk CLI with npm
npm install -g snyk

Scan an image

snyk test --docker ubuntu:latest
snyk test --docker ubuntu:latest --file=Dockerfile
snyk monitor --docker ubuntu:latest --file=Dockerfile

3. Anchore

The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images.


apt-get install python-pip python-rpm yum -ygit clone https://github.com/anchore/anchore.git
cd anchore/
pip install --upgrade --user .
export PATH=~/.local/bin:$PATHCool

Scan an image

anchore --help
anchore feeds list
anchore feeds sync
anchore analyze --image hmlio/vaas-cve-2014-6271
anchore audit --image hmlio/vaas-cve-2014-6271 report
anchore query --image hmlio/vaas-cve-2014-6271 has-package curl wget
anchore query --image hmlio/vaas-cve-2014-6271 list-files-detail all
anchore query --image hmlio/vaas-cve-2014-6271 cve-scan all
anchore toolbox --image hmlio/vaas-cve-2014-6271 show

Scanning an Image

querying the results

4. Clair

Clair is an open-source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).


curl -OL https://raw.githubusercontent.com/coreos/clair/master/contrib/compose/docker-compose.yml

mkdir clair_config && curl -L 

https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o clair_config/config.yaml

sed 's/clair-git:latest/clair:v2.0.1/' -i docker-compose.yml && \

sed 's/host=localhost/host=postgres password=password/' -i clair_config/config.yaml

docker-compose up -d postgres

curl -LO https://gist.githubusercontent.com/BenHall/34ae4e6129d81f871e353c63b6a869a7/raw/5818fba954b0b00352d07771fabab6b9daba5510/clair.sql

docker run -it \
-v $(pwd):/sql/ \
--network clair_default \
--link clair_postgres:clair_postgres \
postgres:latest \
bash -c "PGPASSWORD=password psql -h clair_postgres -U postgres < /sql/clair.sql"

docker-compose up -d clair

curl -L https://github.com/optiopay/klar/releases/download/v1.5/klar-1.5-linux-amd64 -o /usr/local/bin/klar && chmod +x $_

Scan an image

CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 JSON_OUTPUT=true klar mysql:latest | jq

5. Dagda

Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.


curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
cd dagda && sudo pip3 install -r requirements.txt
docker pull mongo
docker run -d -p 27017:27017 mongo
apt-get -y install linux-headers-$(uname -r)

Scan an Image

python3 dagda.py start -d
export DAGDA_HOST=''
export DAGDA_PORT=5000
python3 dagda.py vuln --init
python3 dagda.py vuln --init_status
python3 dagda.py check --docker_image jboss/wildfly
python3 dagda.py docker events

6. Continuous Container Security in the CI/CD

Security has traditionally been a separate process implemented by a different team. And as DevOps move quickly to deploy containers with a continuous integration and delivery (CI/CD) pipeline, security should be a forethought instead of an afterthought. This can be achieved by automating container security scans in the CI/CD pipelines at the speed of DevOps.

You can use any of the open-source tools listed above and integrate them into your CI/CD pipeline to scan the images and identify vulnerabilities even before they become vulnerabilities.

You can achieve this during the build phase by scanning the image after it is built and fail any builds that have fixable vulnerabilities and notify the team responsible. After remediation, rescan and allow the build to be pushed into our registry.

In the below image, after the Build Docker task, we have invoked Image security scanning task where the image built in the Build Docker image task has been scanned for vulnerabilities and eventually the build is failed as vulnerabilities have been identified.

If you rescan the image after fixing/patching the discovered vulnerabilities or if the image is free from vulnerabilities the Image security scanning task will be successful and the Image will be pushed into the repository which can be used in deployment.

The container is only as secure as the code that runs in it and as the infrastructure, it runs on. In addition to container images and the applications within them, containers themselves can potentially become security issues. 

One of the more serious concerns arises when the container runtimes that launch and manage containers — software such as containerd, CRI-O, and rkt themselves contain vulnerabilities.

In another post, I will be discussing the best docker security practices to secure your Docker Infrastructure