Hi, Container Security it’s something that looks very difficult at first glance. It is an extensive topic, but let’s try to look at it with an example and figure out what you can do to secure your container.
In practice, there are some good tools for this(Clair, Anchore, Docker Scan, etc.). My favourite one is Docker Scan that powered by Snyk. According to their approach at a high level, there are three key steps to creating a secure container image:
- Secure your code and its dependencies
- Build up with a minimal base image from a trusted source
- Manage the tools and packages you add to images throughout the development lifecycle
Secure your code and its dependencies
Here you should focus on Static Application Security Testing (SAST) and Software Composition Analysis (SCA). My favourite SAST tool is SonarQube. You can read my previous article about how to start using it: https://yevhsec1.medium.com/how-to-start-static-application-security-testing-sast-with-sonarqube-151a9a1a5052 . In case of SCA I can recommend the OSAWP Dependency Check and Snyk Open-Source (Software Composition Analysis).
Build up with a minimal base image from a trusted source
By trusted source, it’s mean that it should have
“Official Image” green badge in the https://hub.docker.com/. For example, as it’s displayed for python.
By minimal base image, it’s mean that it is better to choose a smaller one. It will accordingly have fewer dependencies and vulnerabilities. For example, below is a comparison two Debian-based images for Python 3.x.
Manage the tools and packages you add to images throughout the development lifecycle
For example, you build your image and see that there are a lot of vulnerabilities.
Focus on high severity findings where the fix is available along with our Docker file command and the fix version.
Run docker scan command with –exclude-base option. It will ignoring all the vulnerabilities from the base image. The result looks better now.
Run the following command to get high severity findings where the fix is available:
docker scan AppName -f Dockerfile — exclude-base — json | jq ‘[.vulnureabilities[] | select(nearestFixedInVersion) | select(.severity == “high”) | {packageName, dockerfileInstruction, title, severity, version, nearestFixedInVersion}]’
Follow me and stay secure!
