What is container scanning
Container scanning, akin to a digital security audit, meticulously examines containerised applications for potential vulnerabilities. By preemptively uncovering and addressing these weaknesses, it empowers development and security teams to fortify applications before they’re put into action.
Container scanning is a thorough security check for apps, meticulously spotting and rectifying vulnerabilities before they lead to any potential harm or breaches.
Container scanning basics
Container scanning is a security practice that involves analysing container images and their components for vulnerabilities and potential threats. This process helps identify security weaknesses early, allowing developers and security teams to address them before deploying applications, ensuring a safer and more secure environment.
What sorts of vulnerabilities can container scanning tools identify within containerised applications
Container scanning unveils an array of vulnerabilities within images and their elements:
- Obsolete Software: Spots outdated or risky software packages.
- Configuration Flaws: Identifies insecure settings or access issues.
- Known Exploits: Flags vulnerabilities targeted by attackers.
- Malware Traces: Detects hidden malicious code or malware.
- Cryptographic Weakness: Pinpoints encryption or key flaws.
- Hardening Lapses: Highlights deviations from secure configurations.
- Open Source Hazards: Reveals risky open-source components.
- Supply Chain Threats: Exposes vulnerabilities from third-party dependencies.
- Compliance Breaches: Identifies deviations from security standards.
- Runtime Risks: Detects vulnerabilities within the container runtime.
Empowering defence against these issues, container scanning safeguards applications and their users.
Comprehensive Container security
Comprehensive container security involves a holistic approach to safeguarding containerised applications and their environments. It encompasses:
- Image Scanning: Thoroughly analysing container images for vulnerabilities before deployment.
- Runtime Protection: Implementing measures to secure containers during runtime, like access controls and runtime monitoring.
- Network Security: Isolating containers and managing network traffic to prevent unauthorised access.
- Access Management: Employing identity and access management to control who can interact with containers.
- Logging and Monitoring: Monitoring container activities and logs to detect and respond to potential threats.
- Patch Management: Regularly updating container components to address security vulnerabilities.
- Compliance Assurance: Ensuring containers adhere to security and regulatory standards.
- Automation: Utilising automation for consistent security checks and swift response to emerging threats.
How does Container scanning work
Container scanning operates by meticulously examining container images and their components to uncover potential vulnerabilities. The process typically involves these steps:
- Image Analysis: The scanner analyses the container image’s file system, libraries, and software packages, comparing them against known vulnerabilities from databases.
- Vulnerability Detection: By matching the image’s components against a repository of known vulnerabilities, the scanner identifies outdated, insecure, or risky software.
- Risk Assessment: Detected vulnerabilities are categorised based on severity, providing insights into the potential impact on security.
- Reporting: The scanner compiles thorough reports that shed light on vulnerabilities, precisely showing where they exist, and offering clear steps to fix and enhance security, ensuring easy comprehension for all stakeholders.
- Integration: These scans can be seamlessly integrated into development pipelines, preventing vulnerable images from progressing to deployment.
- Continuous Monitoring: Regular scanning ensures ongoing security by detecting new vulnerabilities as software updates are released.
- Automation: Many organisations automate scanning to ensure all images are consistently checked for vulnerabilities.
By adhering to these steps, container scanning contributes significantly to preemptively identifying and mitigating security risks within containerised applications.
Container Security Scanner Challenges
- Varied Tool Depth: Remember, scanner choice influences results. Different tools offer different depths of insight, affecting your grasp of vulnerabilities.
- Configuration Caution: Some tools have extensive settings, potentially leading to confusion. Approach configurations carefully to avoid unnecessary complexity.
- Turning Scan into Action: Can you act on scan results? The value lies in transforming insights into actionable improvements, driving effective security measures.
Where and When to Use a Container Scanner
Container scanning strategically fits into two key points: during the build phase when crafting Docker images, and as a guardian when pushing or pulling from registries. Optimal security involves scanning before pushing to a trusted registry, ensuring a secure foundation for production deployment.
Introducing Powerful Allies in Container Security tools
Clair – Vigilant Analysis: Employ Clair for vigilant scrutiny, detecting vulnerabilities via static analysis.
Anchore – Image Insight: Harness Anchore’s prowess, diving deep into Docker images for thorough analysis.
Dagda – Malware Sentry: Trust Dagda to shield against Trojans, malware, and anomalies in Docker images.
Falco – Kubernetes Guardian: Enlist Falco to safeguard Kubernetes, the vigilant engine against threats.
Harbor – Artifact Fortress: Rely on Harbor’s open-source sanctuary, fortifying images with policies and trust.
Trivy – Comprehensive Sentry: Count on Trivy as a thorough watchdog, scanning containers and artifacts for vulnerabilities.
This array of tools reinforces container security, ensuring a robust defence comprehensible to all.
Container security using Anchore.
Anchore Engine:
Elevate Docker security effortlessly. Inspect, certify, and integrate with ease, ensuring trust in every container. Empower your CI/CD with Anchore Seamlessly scan images, bolster security, and streamline your development journey.
Anchore installation:
Anchore Engine’s installation is a breeze, guided by its Docker compose file. You’ll find clear instructions on GitHub and their Knowledge Base. While Anchore Engine handles the backend, scanning images calls for an additional element: a versatile scanner, be it the Anchore CLI or the convenient Jenkins plugin, both curated by Anchore.
To initiate a scan, add the image to the Anchore Engine with the following command
anchore-cli image add python:3
This command sets the image for scanning, prompting Anchore to initiate the process. Currently, tracking the completion of a scan involves querying the status
anchore-cli image get python:3
to monitor the status. Once an image is scanned, use the following command to list the reported CVEs in the image:
anchore-cli image vuln python:3 os
| Vulnerability ID | Package | Severity | Fix | Vulnerability URL |
| CVE-2017-1000379 | linux-libc-dev-4.9.88-1+deb9u1 | High | None | https://security-tracker.debian.org/tracker/CVE-2017-1000379 |
| CVE-2017-14062 | libidn11-1.33-1 | High | None | https://security-tracker.debian.org/tracker/CVE-2017-14062 |
| CVE-2017-15400 | libcups2-2.2.1-8+deb9u1 | High | None | https://security-tracker.debian.org/tracker/CVE-2017-15400 |
| CVE-2017-17458 | mercurial-4.0-1+deb9u1 | High | None | https://security-tracker.debian.org/tracker/CVE-2017-17458 |
Anchore scan can also report the artifacts present in the image, including Python packages, Ruby gems, os packages, and all other files on the filesystem.
anchore-cli image content python:3 python
| Package | Version | Location |
| Python | 2.7.13 | /usr/lib/python2.7/lib-dynload |
| argparse | 1.2.1 | /usr/lib/python2.7 |
| bzr | 2.8.0.dev1 | /usr/lib/python2.7/dist-packages |
| configobj | 5.0.6 | /usr/lib/python2.7/dist-packages |
| mercurial | 4 | /usr/lib/python2.7/dist-packages |
| pip | 10.0.1 | /usr/local/lib/python3.7/site-packages |
| setuptools | 39.2.0 | /usr/local/lib/python3.7/site-packages |
| six | 1.10.0 | /usr/lib/python2.7/dist-packages |
| wheel | 0.31.1 | /usr/local/lib/python3.7/site-packages |
| wsgiref | 0.1.2 | /usr/lib/python2.7 |
With this data, Anchore lets you evaluate the image against policies to check for security compliance. To do this, type:
anchore-cli evaluate check python:3
Image Digest: sha256:9d49a3fdfd4198061e10241ee2ff9d75fb270c80747973360c22cd553f1e228c
Full Tag: docker.io/python:3
Status: fail
Last Eval: 2018-07-11T13:20:58Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
By default, Anchore will only provide a summary of the evaluation. To obtain a full evaluation, you can pass the –detail flag, which provides the full evaluation:
anchore-cli evaluate check python:3 --detail
Image Digest: sha256:9d49a3fdfd4198061e10241ee2ff9d75fb270c80747973360c22cd553f1e228c
Full Tag: docker.io/python:3
Image ID: 17453243214e5dd215bdac0f00c639d82941e1d577ee959c842de73d533da572
Status: fail
Last Eval: 2018-07-11T13:22:12Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
Final Action: stop
Final Action Reason: policy_evaluation
| Gate | Trigger | Detail | Status |
| dockerfile | instruction | Dockerfile directive ‘HEALTHCHECK’ not found, matching condition ‘not_exists’ check | warn |
| vulnerabilities | package | MEDIUM Vulnerability found in os package type (dpkg) – imagemagick-6-common (CVE-2008-3134 – https://security-tracker.debian.org/tracker/CVE-2008-3134) | warn |
| vulnerabilities | package | MEDIUM Vulnerability found in os package type (dpkg) – imagemagick-6-common (CVE-2017-14528 – https://security-tracker.debian.org/tracker/CVE-2017-14528) | warn |
| vulnerabilities | package | MEDIUM Vulnerability found in os package type (dpkg) – imagemagick-6-common (CVE-2018-5248 – https://security-tracker.debian.org/tracker/CVE-2018-5248) | warn |
| vulnerabilities | package | MEDIUM Vulnerability found in os package type (dpkg) – imagemagick-6-common (CVE-2018-11251 – https://security-tracker.debian.org/tracker/CVE-2018-11251) | warn |
| vulnerabilities | package | MEDIUM Vulnerability found in os package type (dpkg) – mercurial (CVE-2018-1000132 – https://security-tracker.debian.org/tracker/CVE-2018-1000132) | warn |
The gates, thresholds, and evaluations are performed against a policy whose ID is mentioned above. Examine the policy by typing:
anchore-cli policy get 2c53a13c-1765-11e8-82ef-23527761d060 --detail
This outputs a JSON of the policy. The open source Anchore Engine lets you define and activate custom policies, but it doesn’t come with a visual policy editor, so trying to edit the policies by hand can be tricky. Anchore also works well with private registries; add them using:
anchore-cli registry add <registry> <username> <password>
Anchore can also be configured to scan repositories and add any tags found in the repository. Once added, the Anchore engine will poll the registry periodically and schedule them to be analyzed.
