Learn about Container Vulnerability Scanning Options

In the world of DevOps, Docker has become a fundamental technology for containerization. However, with great power comes great responsibility, especially regarding security. Docker images are the building blocks of containers, and they need to be as secure as possible. One crucial aspect of Docker security is vulnerability scanning. In this blog post, we’ll explore Docker image vulnerability scanning options and how they can enhance the security of your DevOps pipeline.

The Importance of Docker Image Vulnerability Scanning

Docker images are essentially lightweight, stand-alone, and executable packages containing everything needed to run the software, including the code, runtime, libraries, and system tools. While containers provide many advantages, they also introduce new security challenges, particularly regarding software vulnerabilities.

As a DevOps practitioner, you must ensure that the Docker images you use and build are free from known vulnerabilities. These vulnerabilities could be anything from outdated libraries and packages to security issues that may put your entire application at risk. Docker image vulnerability scanning identifies and addresses these vulnerabilities before malicious actors exploit them.

Docker Image Vulnerability Scanning Options

There are several tools and services available for Docker image vulnerability scanning. Here are some of the most popular options:

1. Docker Security Scanning (DSS): Docker’s own vulnerability scanning tool, DSS, is a cloud service that automatically scans your Docker images for vulnerabilities. It integrates seamlessly with Docker Hub and Docker Cloud. While Docker Security Scanning is effective, it may have limitations regarding scanning frequency and the number of allowed scans for free users.
2. Trivy: Trivy is an open-source vulnerability scanner specifically designed for containers and their dependencies. It’s easy to integrate into your DevOps pipeline, supports various container image formats, and provides detailed vulnerability reports. Trivy is a powerful tool; you have full control over its configuration since it’s open source.
3. Clair: Clair is an open-source container vulnerability scanner developed by the CoreOS team and is now maintained by the community. It can be integrated with various container registries and scan images for known vulnerabilities in real-time.
4. Anchore: Anchore is an open-source project that provides a comprehensive vulnerability scanning solution. It allows you to define your policies for image security and compliance. Anchore integrates well with various CI/CD tools and registries.
5. Aqua Trivy: This is a commercial version of the open-source Trivy tool Aqua Security offers. It adds additional features and support for enterprise environments, including integration with CI/CD pipelines and vulnerability remediation.

Let’s try out some of the options.

Trivy

Here is a short guide on how to get started with Trivy for container image vulnerability scanning:

1. Install Trivy on your machine. You can follow one of the methods described in Trivy Security Scanner: Vulnerability Scanning Guide or Installing Trivy. For example, if you are using Linux, you can install Trivy using the following commands:

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

2. Scan a container image using Trivy. You can scan a local or remote image by passing its tag to the trivy image command. For example, to scan the python:latest image, you can run:

trivy image --severity CRITICAL --report summary python:latest

The scan will show the number of CRITICAL vulnerabilities found, their severity, a brief description, and a link to get more information. For example:

2023-10-21T22:39:20.103+0200    INFO    Vulnerability scanning is enabled
2023-10-21T22:39:20.103+0200    INFO    Secret scanning is enabled
2023-10-21T22:39:20.103+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-21T22:39:20.103+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-21T22:39:21.459+0200    INFO    Detected OS: debian
2023-10-21T22:39:21.459+0200    INFO    Detecting Debian vulnerabilities...
2023-10-21T22:39:21.571+0200    INFO    Number of language-specific files: 1
2023-10-21T22:39:21.571+0200    INFO    Detecting python-pkg vulnerabilities...

python:latest (debian 12.2)

Total: 3 (CRITICAL: 3)
...

3. Fix the vulnerabilities in your container image or Dockerfile. You can use the information provided by Trivy to update the packages or layers that introduce the vulnerabilities or use alternative, more secure base images. For example, to fix the vulnerabilities in the python:latest image, you can modify its Dockerfile as follows:

# Use a more secure base image that has fewer vulnerabilities than debian:buster-slim
FROM debian:stretch-20210329-slim

# Update the packages to their latest versions that fix the vulnerabilities
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    # Install curl and fix CVE-2011-3374, CVE-2020-27350 in apt and libapt-pkg5.0 
    curl=7.52.* \
    # Install openssl and fix CVE-2020-1971 in libssl1.1 
    openssl=1.1.* \
    # Install ca-certificates and fix CVE-2016-6304 in libssl-dev 
    ca-certificates=20161130* && \
    rm -rf /var/lib/apt/lists/*

# Copy python layers into the image.
.... 

4. Scan your container image again using Trivy to verify the vulnerabilities are fixed.

trivy image python:latest

5. Integrate Trivy with your CI/CD pipeline, registry, or other platforms. Trivy can scan your container images as part of your build process or post-build step. You can also use Trivy to scan images in your registry or other platforms such as GitHub, GitLab, Travis, and CircleCI. Refer to the Ecosystem page for more information on integrating Trivy with various systems.

Best Practices for Docker Image Vulnerability Scanning

• Automate Scanning: Integrate vulnerability scanning into your CI/CD pipeline to scan Docker images at every build or update automatically.
• Prioritize Fixes: Not all vulnerabilities are equally critical. Prioritize addressing high-risk vulnerabilities over lower-risk ones. Your vulnerability scanner should provide severity ratings.
• Regular Scanning: Perform regular scans to ensure that your images stay secure. New vulnerabilities are always discovered, and keeping images updated is crucial.
• Collaboration: Share vulnerability reports with your development and security teams so that they can collaborate on mitigation and remediation efforts.
• Image Whitelisting: Only allow trusted images into your production environment and use image whitelisting to restrict the sources of container images.

In conclusion, Docker image vulnerability scanning is critical to securing your DevOps pipeline. With the right scanning tools and best practices, you can identify and mitigate security risks in your Docker images, ensuring that your containers remain a safe and reliable part of your application deployment process. Security is ongoing; regular scanning and updates are key to securing your containerised applications.