Running your code in containers is a great way to manage and deploy software. All of the code needed to run your app is inside containers. Containers help solve the “well it worked on my laptop” issue that was quite prevalent in the past.

That’s great but how are you managing security within each container?

What’s in your container?

Inside every container we found numerous linux packages that your code needs to run. Are all of them secure? Is your linux distro secure?

What is container security scanning?

Container security scanning is parsing through the packages ,layers or other dependencies that are defined in a container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies.

Today we’ll see some container security scanner applications that you can use. The majority are free and opensource.

Clair

Clair is an open source project developed by Coreos for the static analysis of vulnerabilities in appc and docker containers.

https://github.com/coreos/clair

I used a nice project that helps with running Clair locally called clairctl.

Make sure that Clair has been running on it’s own to download the vulnerability database, then run the command:

docker-compose exec clairctl clairctl analyze -l imiell/bad-dockerfile clairctl

To generate a new report and open it in your browser you should run this command:

docker-compose exec clairctl clairctl report -l imiell/bad-dockerfile

html report

Great! You’ve run your first container security scan.

It can be integrated directly with your container registry or in your CI/CD pipelines to scan quickly.

Anchore Engine

The Anchore Engine is an open source project that provides a centralized service for inspection,analysis and certification of container images. The Anchore engine is provided as a Docker container image that can be run standalone, or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms.

The instructions for this tool Anchore Engine are really simple copy and pastes. You create a directory, download a config file and then run docker-compose to start the server and database.

Once the Engine is up and running, you can begin to interact with the system using the CLI.

List feeds and wait for at least one vulnerability data feed sync to complete (first sync can take some time 20-30 minutes)

anchore-cli system feeds list anchore feed

Once the server is running you can use the Anchore CLI. The CLI has commands to add an image to the engine, query for status and print out a report.

anchore-cli image add imiell/bad-dockerfile

anchore-cli image vuln imiell/bad-dockerfile all anchore result

Aqua Microscanner

Aqua make open source security software. Aqua Microscanner takes a different approach to make a scan than other options. To enable scanning you simply add 3 lines to a Dockerfile. The free version does come at the cost of providing an email address. There is also a paid enterprise version that adds more features.

ADD https://get.aquasec.com/microscanner .
RUN chmod +x microscanner
RUN ./microscanner {token}

Aqua Microscanner outputs a big block of JSON.

aqua result

Summary

All of the scanning applications I tested were extremely simple to get up and running. Aqua Microscanner is definitely the simplest to integrate.

These scanners mostly work by enumerating installed OS packages and comparing versions to the CVE database.

I don’t consider this blog complete and will continue to add to it as I find out more information. Many of these scanners do more than just output CVE’s to a console. Some integrate with other server components and have many different options which I’ve not really looked into.

If you have any feedback please leave a message in the comment section or feel free to get in touch with me .