Scanning container images inside helm chart returns 0 vulnerabilities

[vistasunil]

• terrascan version: v1.15.2
• Operating System: Windows (GitBash)

Description

I am trying to scan container images in my helm chart using terrascan.

What I Did

I installed terrascan using below steps:

$ git clone git@github.com:tenable/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan

I am using option --find-vuln of terrascan to scan container images in my helm chart. Below is the command: terrascan scan -i helm --find-vuln

The scan results 0 vulnerabilities for all images I used to check. I tried this with dockerhub image and gcr image both but the result is same.

[vistasunil]

Hello Terrrascan Team,

please look into this issue. We are evaluating terrascan and need this feature if exist.

[gaurav-gogia]

Hi @vistasunil

Could you please use option -l debug to set the log level to debug and share the logs? Also, if possible, could you please share sample code where you're running terrascan.

Thanks

[vistasunil]

Hello @gaurav-gogia Please find the output of below debug command attached here: terrascan scan -i helm --find-vuln -l debug terrascan_debug_image_scan.txt

[gaurav-gogia]

@vistasunil

I don't see any errors in container detection, I'll be able to deep dive and recreate the scenario if you could share a sample code file.

[vistasunil]

Hello @gaurav-gogia I am trying to scan image that is part of kubernetes yaml or helm chart. Please find the same sample helm chart attached here: test-chart.zip .

[gaurav-gogia]

@vistasunil

terrascan finds vulnerabilities in container images. And as far as I understand helm charts, they are just package managers, container images aren't defined in them, so that's the reason you don't see any vulnerabilities.

Does this answer your question?

[vistasunil]

@gaurav-gogia Container images are defined in Kubernetes YAMLs and helm charts. Below is the snapshot:

      containers:
        - name: test-chart
          securityContext:
            {}
          **image: "nginx:1.16.0"**
          imagePullPolicy: Always

I believe --find-vuln option is meant to find the vulnerabilties in YAMLs and Helm charts only. Please correct me if my understanding is wrong.

[gaurav-gogia]

@vistasunil

Since terrascan is a static analyser, it doesn't execute helm charts/pull down images. You'll be able to get better results with terraform and k8s configuration.

[vistasunil]

@gaurav-gogia as per your indication, I tried to run same command on k8s yaml too below and no image scanning happened again. Please find the attached output and k8s yaml file in zip: terrascan scan -i k8s -f k8s.yaml --find-vuln -l debug

k8s.zip terrascan_k8s_scan_debug.txt

[gaurav-gogia]

@vistasunil

In this case it looks like there were no vulnerabilities found for the images described in the k8s configuration you've shared.

[vistasunil]

@gaurav-gogia This is not true. This image has 239 vulnerabilities as below:

$ cat  nginx.yaml |grep "  severity:"|grep HIGH|wc -l
38
$ cat  nginx.yaml |grep "  severity:"|grep CRITICAL|wc -l
6
$ cat  nginx.yaml |grep "  severity:"|grep MEDIUM|wc -l
165
$ cat  nginx.yaml |grep "  severity:"|grep LOW|wc -l
24

Attaching the list of all CVEs for your reference. Please check why terrascan was unable to find them. nginx_vulnerabilities.txt

[gaurav-gogia]

@vistasunil

I think this discrepancy might be caused by the source terrascan uses to identify vulnerabilities.

It uses publicly available image registries like dockerhub to find if vulnerabilities are associated to an image.

Is it possible for you to share the source you're using to identify if a certain image is vulnerable?

[vistasunil]

@gaurav-gogia I am using GCR scan to scan images and because of this only the above vulnerabilities were found. Also, I am not able to access https://index.docker.io/ as you shared. Please refer the screenshot for the error.

[gaurav-gogia]

@vistasunil

Yes, I edited my comment earlier because of the same issue.

I'll have to look into it again. Will take some time to debug.

[vistasunil]

@gaurav-gogia Sure. Please share your finding once you have something.

[Rchanger]

@vistasunil Terrascan do fetch the vulnerabilities of images identified in your helm yaml files, but currently it only supports gcr,ecr and acr docker registry. I can see in the chart you shared the value of repository is as below repository: nginx #gcr.io/k8coe--poc/nginx

so for terrascan the image is part of the docker hub since you haven’t specified the registry, if you can use the complete GCR URL in the image name it will fetch the vulnerability from GCR and display that. If your registry is private do provide the creds as documented here

[vistasunil]

@Rchanger I did with gcr.io/k8coe--poc/nginx also but it did not work. Thats why I commented it and checked for dockerhub URL. So, its neither supporting gcr repo as well. It scans but returns nothing as I already shared. I did it again by changing to gcr.io as below but nothing returned. Please check the screenshots:

      containers:
        - name: test-chart
          securityContext:
            {}
          image: "gcr.io/k8coe--poc/nginx"
          imagePullPolicy: Always

[vistasunil]

@Rchanger I suggest you to please try the same yaml to scan with terrascan and see if you are able to find vulnerabilities. May be I am missing some step.

[gaurav-gogia]

@vistasunil

We don't do a vulnerability scan per se. Being a static analysis tool, we only fetch these vulnerabilities from the registries where container images are located. So if those registries have scanning enabled and if they report any vulnerabilities then terrascan will pick them up and report them.

[vistasunil]

@gaurav-gogia Above statement stands true and it worked when I scanned same image using gcr scan and then Terrascan was able to fetch all vulnerabilities from there and report. Below is the snapshot:

Scan Summary -

        File/Folder         :   C:\WFC_Engg\project\test-chart\k8s.yaml
        IaC Type            :   k8s
        Scanned At          :   2022-08-29 06:14:30.0578832 +0000 UTC
        Policies Validated  :   43
        Violated Policies   :   25
        Low                 :   4
        Medium              :   17
        High                :   4
        Vulnerabilities     :   86

So, this concludes that Terrascan cant scan images on its own and depends on container registry scans for fetching the results? Please confirm.

Also, if this is the case then do you have plan to enable capability in Terrascan to scan images on its own like trivy or clair tools?

[gaurav-gogia]

@vistasunil

So, this concludes that Terrascan cant scan images on its own and depends on container registry scans for fetching the results? Please confirm.

Yes, this is correct

Also, if this is the case then do you have plan to enable capability in Terrascan to scan images on its own like trivy or clair tools?

This feature is not currently in scope, because Terrascan is only meant to be a static analysis tool. Maybe @Rchanger or @cesar-rodriguez can answer this query better.

[vistasunil]

@Rchanger @cesar-rodriguez Please share your comment on above query?