Vulnerability Management of Containers using OpenSource
Containers have revolutionized application development and have taken the enterprise by storm — in particular, the way they are built and scaled.
The same flexibility that makes containers useful to developers also poses many security challenges. The biggest cloud security threat facing container users is the false assumption that containers equal security.
In every container, there are naturally going to be many different and individually complex components that can all introduce security risks and vulnerabilities. As container adoption continues to grow, a strong focus on security is an absolute must.
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
Installing using Home Brew brew install aquasecurity/trivy/trivy Install Script curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
Scan an image
trivy image knqyf263/vuln-image:1.2.3
With Snyk, you can test, monitor, and protect your container images directly from the CLI.
Installing using Home Brew brew install snyk Install the Snyk CLI with npm npm install -g snyk
Scan an image
snyk test --docker ubuntu:latest snyk test --docker ubuntu:latest --file=Dockerfile snyk monitor --docker ubuntu:latest --file=Dockerfile
The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images.
apt-get install python-pip python-rpm yum -ygit clone https://github.com/anchore/anchore.git cd anchore/ pip install --upgrade --user . export PATH=~/.local/bin:$PATHCool
Scan an image
anchore --help anchore feeds list anchore feeds sync anchore analyze --image hmlio/vaas-cve-2014-6271 anchore audit --image hmlio/vaas-cve-2014-6271 report anchore query --image hmlio/vaas-cve-2014-6271 has-package curl wget anchore query --image hmlio/vaas-cve-2014-6271 list-files-detail all anchore query --image hmlio/vaas-cve-2014-6271 cve-scan all anchore toolbox --image hmlio/vaas-cve-2014-6271 show
Scanning an Image
querying the results
curl -OL https://raw.githubusercontent.com/coreos/clair/master/contrib/compose/docker-compose.yml mkdir clair_config && curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o clair_config/config.yaml sed 's/clair-git:latest/clair:v2.0.1/' -i docker-compose.yml && \ sed 's/host=localhost/host=postgres password=password/' -i clair_config/config.yaml docker-compose up -d postgres curl -LO https://gist.githubusercontent.com/BenHall/34ae4e6129d81f871e353c63b6a869a7/raw/5818fba954b0b00352d07771fabab6b9daba5510/clair.sql docker run -it \ -v $(pwd):/sql/ \ --network clair_default \ --link clair_postgres:clair_postgres \ postgres:latest \ bash -c "PGPASSWORD=password psql -h clair_postgres -U postgres < /sql/clair.sql" docker-compose up -d clair curl -L https://github.com/optiopay/klar/releases/download/v1.5/klar-1.5-linux-amd64 -o /usr/local/bin/klar && chmod +x $_
Scan an image
CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 JSON_OUTPUT=true klar mysql:latest | jq
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash https://github.com/eliasgranderubio/dagda.git cd dagda && sudo pip3 install -r requirements.txt docker pull mongo docker run -d -p 27017:27017 mongo apt-get -y install linux-headers-$(uname -r)
Scan an Image
python3 dagda.py start -d export DAGDA_HOST='127.0.0.1' export DAGDA_PORT=5000 python3 dagda.py vuln --init python3 dagda.py vuln --init_status python3 dagda.py check --docker_image jboss/wildfly python3 dagda.py docker events
6. Continuous Container Security in the CI/CD
Security has traditionally been a separate process implemented by a different team. And as DevOps move quickly to deploy containers with a continuous integration and delivery (CI/CD) pipeline, security should be a forethought instead of an afterthought. This can be achieved by automating container security scans in the CI/CD pipelines at the speed of DevOps.
You can use any of the open-source tools listed above and integrate them into your CI/CD pipeline to scan the images and identify vulnerabilities even before they become vulnerabilities.
You can achieve this during the build phase by scanning the image after it is built and fail any builds that have fixable vulnerabilities and notify the team responsible. After remediation, rescan and allow the build to be pushed into our registry.
In the below image, after the Build Docker task, we have invoked Image security scanning task where the image built in the Build Docker image task has been scanned for vulnerabilities and eventually the build is failed as vulnerabilities have been identified.
If you rescan the image after fixing/patching the discovered vulnerabilities or if the image is free from vulnerabilities the Image security scanning task will be successful and the Image will be pushed into the repository which can be used in deployment.
The container is only as secure as the code that runs in it and as the infrastructure, it runs on. In addition to container images and the applications within them, containers themselves can potentially become security issues.
One of the more serious concerns arises when the container runtimes that launch and manage containers — software such as containerd, CRI-O, and rkt themselves contain vulnerabilities.
In another post, I will be discussing the best docker security practices to secure your Docker Infrastructure