When it comes to container security, simply relying on Docker Bench for maintaining Docker security may not suffice. In order to mitigate the risk of compromised containers it is also a good practice to use active container vulnerability scanners like Docker Scan (Snyk), Grype, Trivy and DockerSlim. These scanners can help proactively identify problems within containers, such as outdated dependencies that could be exploited.
Containers are a perfect fit in the cloud-native era. Enterprises that want to exploit cloud advantages, speed and agility need to utilize containers – with Kubernetes and Docker being the de facto standards. It is often said that containerized applications and services offer security benefits “out of the box”. However, containers also provide new entry gates for attackers and – that is often overseen – containers also demand specific security expertise to close the security gaps and to run containers optimally. This blog post will focus on Docker as an example.
Enterprises that settle for containers best start with Docker Bench for Security to harden the Docker host. Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in the production environment. All tests are automated and based on the CIS (Center for Internet Security) Docker Benchmark. The test scans the Docker host for common configuration issues, such as loose settings in configuration files, system rights and questionable defaults. The tool relies on a database of Common Vulnerabilities and Exposures to audit the libraries and executables on the system in question. The scan yields a score for the Docker host security. Admins can use this score to track and continuously improve the host’s configuration. This can result in discarding unused images and containers, updates for Docker or the use of volume mounts to create separate partitions (similar to the practice of micro segmentation).
Host security is only one side of the coin. Docker Bench isn’t an exhaustive test. There are other aspects to maintaining Docker security that shouldn’t be overlooked either. Even rock-solid host-level security is no guarantee that compromised containers will not be exploited by attackers to gain a foothold into enterprise systems. This risk can be reduced by additionally using active container vulnerability scanners like Docker scan (Snyk), Grype, Trivy and Clair. These scanners will help to identify security issues and existing problems within containers, such as outdated dependencies that could form into a potential threat. Let’s dive deeper into these useful tools.
Vulnerability assessment and scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Docker files and local images. Snyk offers a comprehensive set of features for tasks around container security, also real-time vulnerability monitoring. Snyk uses machine learning algorithms to scan Docker images and their dependencies to identify vulnerabilities. Based on the findings it generates a prioritized list of recommendations for remediation. Read more about Docker Scan using Snyk engine here.
Source: CNCF Cloud Native Security Whitepaper
For the next step of container image hardening, Grype can be used. Grype is a vulnerability scanner for container images and file systems. Grype works with Syft, the powerful tool for software bills of materials for container images and filesystems. Currently, Grype is built only for macOS and Linux. Grype addresses an important topic for container security: the necessity that images need to be rebuilt regularly to make sure they include the latest packages and patches. Thus, hardening procedures need to be incorporated into CI/CD pipelines. Grype, works similarly to Snyk. First, it scans the Docker image to identify the status of patches and packages. Based on the results a new image is built with additional mitigating protections. The new version can then be used as a base for the respective application. Learn more on how to install Grype.
Trivy is a simple and comprehensive scanner for vulnerabilities in container images, like file systems, but it is also suitable for Git repositories and for configuration issues. Trivy detects vulnerabilities in operating system packages and language-specific packages. Learn more on how to install Trivy.
Each scanner has its own strengths and deficits. While Trivy and Grype have their merits, they are not specifically designed to scan Git repositories directly. It is primarily intended for container image scanning. Therefore, Snyk is the perfect enhancement for GitHub/GitLab integration. Snyk's GitHub integration lets you:
After you have connected GitHub to Snyk, you can use:
Learn more on how to integrate Snyk with GitHub
DockerSlim is a tool that provides a set of commands to simplify and optimize developer experience with containers. It makes containers better, smaller and more secure. DockerSlim optimizes containers by understanding the application and its needs using various analysis techniques. DockerSlim will discard content the application doesn’t really need. This reduces the attack surface of the respective container. Containers tend to grow with time – often developers are taken aback by the size of their containers. Bloated container images can negatively impact application performance, but, beyond that, they can also carry unnecessary security risks. DockerSlim’s xray command obtains details about a package’s size. The command performs a static analysis on the target container image and reverse-engineers the Docker file from the image, telling what’s inside of the container image and why it is so big. Learn more on how to install DockerSlim.
Definitely, yes! Containers offer huge advantages and play an important role in a future-proof setup for enterprise IT. Thus, container security is of utmost importance. If you want to utilize the benefits of the technology, be prepared to implement the respective security measures. And that starts with transparency, good news is: There are many tools for container vulnerability scanning and remediation, and most of them are publicly available. If you are unsure about your container posture and security gaps, take the time to do a review or contact our expert container consultant.
T-Systems is an expert on containers and an experienced cloud services partner. You can rely on them to tackle container security. This is especially advantageous for teams that want to focus primarily on development and business alignment. T-Systems offers out of the box services for assessments and continuous managed services. For container usage on AWS, an Elastic Kubernetes Service Well-Architected Review performed by T-Systems can be especially beneficial. Within two weeks, we identify gaps in your container environment and provide remediation proposals. Also, if you prefer to relieve your team of container management entirely – we can take over the task with our Managed Cloud Container Services. We can elevate your containers to meet current best practices.