Add security scanner integration - Githubissues

pulp / pulp_container

Pulp Container Registry

https://docs.pulpproject.org/pulp_container/

GNU General Public License v2.0

23 stars 44 forks source link

Add security scanner integration #463

Open pulpbot opened 2 years ago

pulpbot commented 2 years ago

Author: @bmbouter (bmbouter)

Redmine Issue: 6871, https://pulp.plan.io/issues/6871

Goal

Users storing content in pulp_container should derive benefit from security scanning of docker containers that are out there.

Existing Tools

The idea is to integrate a tool not make a new one. Here are some options I've read about from this article.

trivy is claimed as the easiest
Anchore Engine
Claire + Klar,

pulpbot commented 2 years ago

From: westurner (westurner) Date: 2020-08-29T05:16:20Z

Would this be implemented as a webhook (e.g. to an existing CI system) or as a celery task?

Where would the report artifacts be saved?

pulpbot commented 2 years ago

From: westurner (westurner) Date: 2020-08-29T05:20:02Z

What are the least possible privileges for a celery task? (A task that runs one or more container analysis tools and saves the report artifacts(s) somewhere)

pulpbot commented 2 years ago

From: westurner (westurner) Date: 2020-08-29T05:28:06Z

https://github.com/goharbor/pluggable-scanner-spec :

Open API spec definition for the scanners that can be plugged into Harbor to do artifact scanning.

Add support to Harbor for using other image scanners than just Clair by replacing the current Clair-specific scanning job implementation with an adapter layer implemented as an HTTP API between Harbor and the scanners' native interfaces. This will provide runtime configurable scanner invocation to provide vulnerability scanning initially with the option for other types of scanning in the future.

https://github.com/goharbor/harbor-scanner-clair

pulpbot commented 2 years ago

From: westurner (westurner) Date: 2020-08-29T05:36:40Z

"Automated Compliance Tooling (ACT)" https://www.linuxfoundation.org/press-release/2019/12/the-linux-foundations-automated-compliance-work-garners-new-funding-advances-tools-development/

https://github.com/tern-tools/tern :

Tern is an inspection tool to find the metadata of the packages installed in a container image
- https://github.com/tern-tools/tern#cve-bin-tool :
  
  cve-bin-tool is a command line tool which "scans for a number of common, vulnerable components (openssl, libpng, libxml2, expat and a few others) to let you know if your system includes common libraries with known vulnerabilities". Vulnerability scanning tools can also be extended to work on containers using Tern, although support for certain metadata pertaining to CVEs may not be available yet.

... "DevSecOps"

pulpbot commented 2 years ago

From: westurner (westurner) Date: 2020-08-29T05:50:19Z

("DOC,SEC: Docker Notary / TUF support" #7419 could also be tagged 'security' if there was such an issue tag)

lubosmj commented 1 year ago

https://docs.docker.com/docker-hub/vulnerability-scanning/ https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration