Source: CNCF Cloud Native Security Whitepaper
What are the benefits of using Grype and Trivy scanner?
For the next step of container image hardening, Grype can be used. Grype is a vulnerability scanner for container images and file systems. Grype works with Syft, the powerful tool for software bills of materials for container images and filesystems. Currently, Grype is built only for macOS and Linux. Grype addresses an important topic for container security: the necessity that images need to be rebuilt regularly to make sure they include the latest packages and patches. Thus, hardening procedures need to be incorporated into CI/CD pipelines. Grype, works similarly to Snyk. First, it scans the Docker image to identify the status of patches and packages. Based on the results a new image is built with additional mitigating protections. The new version can then be used as a base for the respective application. Learn more on how to install Grype.
Trivy is a simple and comprehensive scanner for vulnerabilities in container images, like file systems, but it is also suitable for Git repositories and for configuration issues. Trivy detects vulnerabilities in operating system packages and language-specific packages. Learn more on how to install Trivy.
Which scanners can be used for Git repositories?
Each scanner has its own strengths and deficits. While Trivy and Grype have their merits, they are not specifically designed to scan Git repositories directly. It is primarily intended for container image scanning. Therefore, Snyk is the perfect enhancement for GitHub/GitLab integration. Snyk's GitHub integration lets you:
- Continuously perform security scanning across all the integrated repositories
- Detect vulnerabilities in your open-source components
- Provide automated fixes and upgrades
After you have connected GitHub to Snyk, you can use:
- Project-level security reports
- Project monitoring and automatic fix pull requests
- Commit signing
- Pull request testing
Learn more on how to integrate Snyk with GitHub
How can containers be made smaller and secure?
DockerSlim is a tool that provides a set of commands to simplify and optimize developer experience with containers. It makes containers better, smaller and more secure. DockerSlim optimizes containers by understanding the application and its needs using various analysis techniques. DockerSlim will discard content the application doesn’t really need. This reduces the attack surface of the respective container. Containers tend to grow with time – often developers are taken aback by the size of their containers. Bloated container images can negatively impact application performance, but, beyond that, they can also carry unnecessary security risks. DockerSlim’s xray command obtains details about a package’s size. The command performs a static analysis on the target container image and reverse-engineers the Docker file from the image, telling what’s inside of the container image and why it is so big. Learn more on how to install DockerSlim.
Should I check my container security?
Definitely, yes! Containers offer huge advantages and play an important role in a future-proof setup for enterprise IT. Thus, container security is of utmost importance. If you want to utilize the benefits of the technology, be prepared to implement the respective security measures. And that starts with transparency, good news is: There are many tools for container vulnerability scanning and remediation, and most of them are publicly available. If you are unsure about your container posture and security gaps, take the time to do a review or contact our expert container consultant.
Managed services from T-Systems
T-Systems is an expert on containers and an experienced cloud services partner. You can rely on them to tackle container security. This is especially advantageous for teams that want to focus primarily on development and business alignment. T-Systems offers out of the box services for assessments and continuous managed services. For container usage on AWS, an Elastic Kubernetes Service Well-Architected Review performed by T-Systems can be especially beneficial. Within two weeks, we identify gaps in your container environment and provide remediation proposals. Also, if you prefer to relieve your team of container management entirely – we can take over the task with our Managed Cloud Container Services. We can elevate your containers to meet current best practices.