Vulnerability scanning for Docker Images
Security flaws aren’t the same as viruses. It contains a logical or technological defect that leads to a system weakness that can be used to compromise a system. Security flaws can be found in well-intentioned source code. Such flaws may remain undetected in our code for years until they are discovered, either intentionally or by chance.
Docker Images Vulnerability Scanning
Vulnerability scanning for Docker should be a critical component of our Docker security approach. It is a procedure for identifying security flaws in our Docker image files. Creating the container images that will be retrieved and performed in the QA, Stage, and production environments is a critical step in the continuous integration pipeline. Therefore, whether we are creating Docker images from our own source code or from publicly available images, it is critical to analyse and discover any known vulnerabilities in those images. This is referred to as the Docker vulnerability scanning procedure.
How It works
Normally, image scanning works by parsing through the software packages, dependencies, binaries, libraries, and operating system files defined in a container image file. It is then compared to public security vulnerabilities databases to see if any known vulnerabilities exist in those packages or dependencies.
Methodologies used in scanning
Static scanning - Detects vulnerabilities in images before a container is created
Dynamic scanning - Executed in a runtime environment to identify post-build software, binaries, and libraries that create vulnerabilities.
Open-source scanners to find vulnerabilities in Docker images
Anchore
It is an open-source software for inspecting and analysing container images. The Anchore engine can be used independently or in conjunction with orchestration technologies like Kubernetes, Amazon ECS, and Docker Swarm.
Anchore features
- Provides inline scans and deep inspection of container images, OS packages, and software artefacts such as jar files
- Anchore is also available as Jenkins’s plugins to scan the CI/CD pipeline seamlessly to discover security breaches
- Customizes scans for vulnerabilities, configuration files, image secrets, exposed ports, and more.
Aqua Security
From development to production, the Aqua Container Security Platform provides a complete, full lifecycle solution for securing containerized applications. It’s a security platform that ensures that apps running on containers are secure and run in a secure environment. It scans tens of thousands of images in a matter of minutes.
Amazon ECR Image scanning
The open-source Clair project’s Common Vulnerabilities and Exposures (CVEs) database is used by Amazon ECR. We can configure ECR repositories to scan on image push or manually scan using basic scanning. In both circumstances, Amazon ECR gives a list of scan results as well as necessary links to resolve the problems.
This feature is provided free of charge by AWS ECR, and it is based on the stated ECR service quota to guarantee that all customers have a fair and reliable scanning experience. This means that for image scanning, we set a throttle of one scan every 24 hours per image, with numerous attempts to scan the same image again during that time period generating a ThrottlingException.
This is how the report will appear
Clair
Clair is an open-source project that analyses vulnerabilities in Docker and application containers using static analysis. Based on the Common Vulnerabilities and Exposures database (CVE) and equivalent databases from Red Hat, Ubuntu, and Debian, Clair examines each container layer and delivers a notification about vulnerabilities that may be a threat. Clair is an API-driven analysis engine that looks for known security issues in containers layer by layer.
Clair features
- Using an API, Clair allows customers to search specific databases for vulnerabilities in images
- Looks for vulnerabilities that have already been discovered and prevents them from being introduced in the future
- Offers a REST API for integration with other applications
- When vulnerability metadata is updated, a notification is issued to alert systems about the change
- Provides an HTML report with all of the scan’s details.
How to use Clair to scan Docker image vulnerabilities
As a proof of concept, this Clair tutorial concentrates on local container scanning. Configuring a Postgres database, downloading the Clair image, and setting the Clair configuration are all part of the initial set up.
Setting up Clair and Postgres
Clair can be used as a single instance or as part of a high-availability cluster. Clair should be executed in several instances if possible. Clair can be installed via Docker, so let’s assume we already have a set up.
Downloading Clair config files.
curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o config.yaml
Starting Clair with the config.yaml file.
docker run --net=host -d -p 6060:6060 -p 6061:6061 -v clair_config:/config arminc/clair-local-scan:v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1 -config=/config/config.yaml
Clair API server runs on TCP:6060 and the Clair health API runs on TCP:6061. To verify, call the health API.
curl -X GET -I http://localhost:6061/health
Spinning up the Postgres container.
docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
Setting up clairctl
It is a command line tool, used to interact with Clair service
mkdir -p clair/docker-compose-data/clair-configwget https://raw.githubusercontent.com/jgsqware/clairctl/master/docker-compose.yml --directory-prefix=clair/docker-compose-data/
wget https://raw.github.com/jgsqware/clairctl/master/docker-compose-data/clair-config/config.yml --directory-prefix=clair/clair-config/cd clair/docker-compose-data
Remove Clair and postgres services from docker-compose.yaml file and run only clairctl service.
docker-compose up
Here, docker-compose exec clairctl is used in the Docker environment to execute the following command on Docker container clairctl. The rest of the command stands for the image to test, which in this example is clairctl analyze -l mcr.microsoft.com/dotnet/aspnet:3.1.22-alpine3.14.
docker-compose exec clairctl clairctl analyze -l mcr.microsoft.com/dotnet/aspnet:3.1.22-alpine3.14Here, we are generating vulnerability report for mcr.microsoft.com/dotnet/aspnet Docker image with clairctl command line tool.
docker-compose exec clairctl clairctl report -l mcr.microsoft.com/dotnet/aspnet:3.1.22-alpine3.14Conclusion
With the rise of cloud-native technologies like Kubernetes for managing applications in cloud and hybrid environments, security teams must be able to comprehend these concepts fast to build up appropriate guardrails and controls. Docker was created with security in mind, and several of its built-in capabilities can help in the protection of our system. Docker image security scanning isn’t the sole component of a container security strategy, but it is an important one. Other security tools have been partnered with it to better monitor our container environment and detect security issues in open-source code included in a containerisation application in ways that image scanners cannot.
