Investigate image maintenance for reduced CVEs

[brianehlert]

Investigate image maintenance processes around:

• continuous image building (re-building of provided images over time to patch CVEs)

The expectations that we are trying to meet are:

• low active CVE surface
• regular image patching (3rd party CVEs are the problem)
• image update notification workflow (a specific image could be 'subscribed' to) - Optional
• Not always issuing regular patch releases due to impacts to some customers who are required to upgrade for all releases

The goal is for us to understand the impacts of updating our processes to meet these increased expectations. How many versions back we would actively maintain.

Things to bear in mind: What are the interactions with other capabilities such as readOnlyRootFilesystem and NAP WAF.

### Tasks
- [ ] ~POC - CIS Hardening~
- [ ] ~POC - Make use of leaner images~
- [ ] ~https://github.com/nginxinc/kubernetes-ingress/issues/5395~
- [ ] ~SPIKE - Options for image update notifications~

[jjngx]

References:

CIS Hardening and verification OSS tools

Docker Bench for Security is an open source script that audits containers according to the CIS benchmark’s best practices. It performs tests based on CIS benchmark recommendations, and logs its findings.

For each CIS benchmark recommendation, the tool provides Info (issues found), Warning (container does not meet the recommendation), or Pass (container is compliant). You can run the tool from the Docker host, directly on the host operating system, or clone it with Docker Compose.

OpenSCAP includes multiple open security benchmark guidelines, configuration criteria, and open source tools that can help test for security issues, including the CIS benchmark. It is focused on the NIST-certified Secure Content Automation Protocol (SCAP), which includes many automated security policies.

OpenSCAP goes wider than the CIS recommendations, including many other recommendations, some of which are not specific to a containerized environment. It can be useful for identifying additional security concerns not covered by the CIS guidelines.

Syft A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

Grype A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

[jjngx]

Updated CIS Benchmarks - January 2024 link

[brianehlert]

Based on conversation and need - I am tempted to close this as an investigation. Thinking that we have decided to: regularly patch the images for the 'current' release.

The question seems to be how we tag the images.

NGINX uses a date tag, and that could be an easy way to discover and pull an updated image when only the image image has been updated but none of the NIC code has been updated.

[brianehlert]

This looks like it should be closed.

[brianehlert]

@danielnginx is this completed? I thought we had a path forward.

[brianehlert]

This remains in 3.6 and is blocking closing the release. Is this completed? still valid?