Scribd
Upload
53 views27 pages

07 - Image Scanning

Uploaded by

anilrajops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views27 pages

07 - Image Scanning

Uploaded by

anilrajops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Image Scanning -

by TWN
Build Secure Images
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.


TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.


CD Part opens up a whole new
threat landscape

We will secure step by step

And start with Docker Image Security

Copyright 2023 nnSoftware GmbH. All rights reserved.


Automated Security Scanning of
Docker Image
Why scan Container images?

Mini Virtual Server Environment

Docker images consist of an underlying


operating system, runtime, dependencies
Images rely on base images
Tools and packages installed in the image

Security Threat

This means we can have a secure application,


but still an insecure runtime environment, which
hackers can exploit
Container Image Scanning Tools

We can again leverage security tools

To scan every image layer for known vulnerabilities

Open source and commercial tools available

More and more tools natively support security


features
Indicator that security is
becoming more important
within the developer workflow

We use Trivy to scan our image

Copyright 2023 nnSoftware GmbH. All rights reserved.


Integrate Scanning step into our CI/CD

Based on the result, we can


decide whether we want to
deploy the application or not

Copyright 2023 nnSoftware GmbH. All rights reserved.


Integrate Scanning step into our CI/CD

Add Job to Pipeline Configuration

Copyright 2023 nnSoftware GmbH. All rights reserved.


Trivy Security Scanning

Trivy can scan files inside container images for

Vulnerabilities

Exposed Secrets

Misconfigurations, useful only if


your image includes IaC files

Licenses

By default, vulnerability and secret


scanning are enabled

Copyright 2023 nnSoftware GmbH. All rights reserved.


Trivy Security Scanning
What Trivy can find

OS packages and software dependencies

Known vulnerabilities (CVEs)

Trivy scans vulnerabilities in the


application dependencies
Remediation Example in Dockerfile
Vulnerability of Debian base image
Reported vulnerability in Trivy It uses the library libssl1.1, which has known vulnerabilities

Suggested solution is to update to the fixed version

Debian is used under the hood. It’s an outdated image

Change to image with secure debian base image

Copyright 2023 nnSoftware GmbH. All rights reserved.


Fixing Security Issues is not a zero-sum game

Sometimes when you upgrade to a newer version to fix a known vulnerability in a


previous version, you introduce other, newer vulnerabilities
Some libraries may have not fixed the issue yet
It’s hard to get to zero vulnerabilities, but the goal is to get to the closest secure
state possible

Some steps you can take in such cases

Assess the severity Alternative solutions

Monitor updates Research and implement mitigation strategies to reduce the risk

Risk acceptance after thorough understanding of potential risks

Copyright 2023 nnSoftware GmbH. All rights reserved.


GitLab CI/CD Status after this chapter

Copyright 2023 nnSoftware GmbH. All rights reserved.


Docker Security Best Practices
Why learn Security Best Practices

Learn about Security Best Practices, that we can follow

To be less exposed to security threats

Have a smaller attack surface

Copyright 2023 nnSoftware GmbH. All rights reserved.


Security Best Practices

1 - Use Official Docker Images as Base Image

Verified and already built with


best practices

2 - Use Specific Image Versions

You might get different image


versions that break stuff
Latest tag is unpredictable
Security Best Practices

3 -Use Small-Sized Official Images

Avoid introducing unnecessary


security issues from the beginning
Reduced attack surface

4 - Use .dockerignore to explicitly exclude


unneeded files and folders

List files and folders you want to ignore


Prevent unintended secrets exposure

Copyright 2023 nnSoftware GmbH. All rights reserved.


Security Best Practices

5 - Make use of Multi-Stage Builds

“From” instruction starts a new build stage,


leaving everything you don’t want in the final
image behind
Selectively copy artifacts from one stage to
another
Only the last Dockerfile commands are the
image layers
Reduces security attack surface

Copyright 2023 nnSoftware GmbH. All rights reserved.


Security Best Practices

6 - Use the Least Privileged User

Bad Practice:
Using root or user with high privilege
Easier privilege escalation for an attacker

Best Practice
Create a dedicated user and group
Set required permissions
Change to non-root user

Some base images have a generic


user bundled in, which we can use

Copyright 2023 nnSoftware GmbH. All rights reserved.


Continuously Scan Images in
Container Registry
Why scanning the image once is not enough

Image can be safe at the But can be unsafe a few


point of scanning days later

We could use a Docker image in production and don’t even know it


That’s why we need to continuously scan the Docker images in the
container image repository

Copyright 2023 nnSoftware GmbH. All rights reserved.


How to continuously scan

Container registries offer such functionality

Copyright 2023 nnSoftware GmbH. All rights reserved.


Configure Security Scanning on AWS ECR

Basic Scanning Enhanced Scanning

Continuous Scanning:
Manually or Scanning on Push:
Detection when vulnerabilities occur
Vulnerability detected when image is pushed
Deeper, more comprehensive security analysis, more
Free of charge
extensive set of vulnerability databases
Comes at an additional cost
Copyright 2023 nnSoftware GmbH. All rights reserved.
Configure Security Scanning on AWS ECR

Repository with continuous


scanning enabled

Vulnerability Findings

Copyright 2023 nnSoftware GmbH. All rights reserved.


What Amazon Inspector Scans

Scans application runtime environment

Scans whole application and application


dependencies

Copyright 2023 nnSoftware GmbH. All rights reserved.


Wrap Up and Next Steps

We have secured our


application in the last
chapters
We have secured the
container runtime in
this chapter

TO DO

We will secure the


continuous deployment
And the AWS cloud
infrastructure
Copyright 2023 nnSoftware GmbH. All rights reserved.

You might also like