Scan Docker and/or Heroku containers for vulnerable software versions

[dwvisser]

In principle, Docker image files and Heroku slug files are just decorated .tar.gz files, that can be expanded and scanned, if one knows where to look in them.

The proposal here is to create an Analyzer or Analyzers capable of unpacking the appropriate parts of these files and scanning them. In the Docker case, typically a Dockerfile specifies the creation of an image with a known base image. I hope this means that the image gets deployed as a diff on top of a base OS/Framework image. That would narrow down the possibilities in the space of contents to scan.

[dwvisser]

FYI. If this capability were added, it could automate the analysis done by the researchers in this article: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

From their conclusion:

Our findings advocate a rigorous operations management process where images are analyzed in real-time to provide full visibility into their contents. The images should be scanned for security vulnerabilities, and selectively marked for rebuild depending on the relevance and severity of the vulnerabilities. Any major vulnerability should be identified instantly and there should be an option to trigger an immediate quarantine of susceptible images. The images not only need to be scanned for OS-level package vulnerabilities, but also application-level package vulnerabilities. These processes need to be efficiently integrated into a continuous deployment framework to realize the full benefits of containers while simultaneously maintaining good security practices.

[alex-leonhardt]

+1

[stevespringett]

+1 See also: https://github.com/coreos/clair https://coreos.com/blog/vulnerability-analysis-for-containers/

[hansjoachim]

Another related project; Red Hat and Black Duck are teaming up to scan and verify containers. I haven't looked more into the project itself, but the press release has some information http://www.redhat.com/en/about/press-releases/red-hat-and-black-duck-collaborate-deliver-secure-and-trusted-linux-containers-enterprise

Relevant quote: "Black Duck’s KnowledgeBase (..) includes information on 1.1 million open source projects, with detailed data on more than 100,000 known open source vulnerabilities across more than 350 billion lines of code." Might be something which DependencyCheck can integrate/use in some way, as well.

[devstuff]

The Docker Security Scanning add-on service was just made available for images stored in Docker Cloud.

[dwvisser]

I saw that, too. Definitely a good thing! However, it's still not much help for private images not uploaded to Docker's infrastructure.

[ghost]

Take a look at

https://hub.docker.com/r/deepfenceio/deepfence_depcheck/

This utility wraps OWASP dependency checker + Retire.js scanner in a Golang wrapper. It abstracts the differences in output and emits a compact JSON output with as many details as possible. The only thing missing in this tool is ability to suppress false positives and is planned.

[dwvisser]

Nowadays, the docker scan command exists.

[RyanStanbury]

I would still like if this feature could be implemented as the docker scan command seems to only work for Dockerfiles uploaded to DockerHub.

[albuch]

@RyanStanbury There are already other open source tools like https://github.com/quay/clair, https://github.com/aquasecurity/trivy and https://github.com/future-architect/vuls that can do this.

[RyanStanbury]

@albuch These both seem to be for scanning containers rather than dockerfiles which isn't what I'm looking for. I can keep looking for other open source tools to do the job if this tool isn't planning on supporting this.

[albuch]

Are you sure? Trivy is scanning images, it doesn't need a runing container.

[RyanStanbury]

@albuch For my use case, I can't always build the docker image using the docker file as I might be missing required service accounts or pipeline secrets used by our developers. That makes using tools that require a built image unusable for me, which is why I was looking something that only required that Dockerfile. I know scanning the built container could generally be better than just the Dockerfile, but that will take a lot longer for my team to implement. We were also looking for this to be an "additional to" rather than "in replacement of" container scanning.

I did end up getting trivy working to scan the Dockerfile, but it doesn't seem to be able to support scanning for vulnerable dependency versions.