Container registries and vulnerability scanners are often bundled together, but they are not the same thing.Code scanning mayoccur at multiple points in a container deployment workflow. Some scanners will be bundled with existing solutions, while others are point solutions. There differences can be measured by the data sources they use, what is being checked, and the actions are automatically taken as the result of a scan.
Scanners review artifacts based ona certain set of criteria, such as policies or the inclusion of specific code. For the purposes of this article, we focus just on scanning for vulnerabilities in both applications and container images. Scans of applicationscan determine if they were built using widely tested packages coming from popular repositories. Scanning images can alsoreviewapplications, but in addition it looks forvulnerabilities due to the unique deployment environments they were built for.
Some container registries are constantly scanned for vulnerabilities with a bundled technology. For example, CoreOS’s Clair scansQuay.io, Docker Security Scanning works with Docker Trusted Registry and Red Hathas built anew scanner in Project Atomicfor its Atomic Registry . Although Docker Store is still in beta, it promises to offer for sale images that are scanned and approved by the company. Flawcheck Private Registry has a custom scanner built into its product.These registries promise “secure” container images for developers to deploy their code.
Other scanners are such as AquaPeekr , Anchore , and Twistlock Trust work independently of specific registries, which may be valuable if you are utilizing container images from multiple different sources. These solutions can beconnecteddirectly to multiple parts ofbuild/deploy pipelines. The workflow in the followinggraphic fromAnchore shows adeveloper buildingan application on top ofa publicly available image, and then analyzing and certifyingthe newly built image. The image then goes back into CI/CD workflow for testing.
Anchore’s scanner is used again before the the application is deployed. At this stage in the process the image goes through the same security scanning, but more importantly, it is being evaluated to determine if and how it will be deployed into production.By this time,security and operations teams have already created policies that regulate what containers are kosher and what types of resources they are allowed to utilize.
The image from Anchore’s site shows how it can fit into a CI/CD workflow.
We have included belowtwelve examples container vulnerability scanning solutions. This list purposefully excludes tools that scan and manage applications packages and repositories. As described in thisCloudMunch article , there is an argument that DevOps should think of its process through a build-driven instead of an image-driven. Fred Simon, JFrog’s chief technology officer made this argument by saying, “You don’t distribute an application anymore, you distribute the full stack.” If this angle is taken, then inspection tools fromJFrogor Sonatype would come into the discussion.
Container Vulnerability Scanning Project Company/Sponsor Project Description Anchore Anchore A set of tools to provide visibility, transparency, and control of your container environment. It consists of two parts: a web service hosted by Anchore, and a set of open source command-line query tools. The hosted service selects and analyzes popular container images from DockerHub and other sources, and provides this metadata as a service to the on-premise command-line tools. Aqua Container Security Platform Aqua Security Software Provides a scalable security solution that protects containerized applications against internal and external threats. Aqua Peekr Aqua Security Software Free scanner of container images across different types of registries. BanyanOps BanyanOps The company has yet to launch its product, which will focus on analyzing images. analyzing images and wants to accelerate IT operations with containers. Clair CoreOS A container vulnerability analysis service providing static analysis of vulnerabilities in appc and docker containers. Docker Cloud Docker A SaaS service for deploying and managing Dockerized applications. Docker Cloud includes Docker Security Scanning, which reviews images in private repositories to verify that they are free from known security vulnerabilities or exposures, and report the results of the scan for each image tag. Docker Trusted Registry is included in the subscription. Docker Store Docker A place to find trusted commercial and free software distributed as Docker images. All Docker Official Images and Store Curated content goes through Docker Security Scanning. FlawCheck Private Registry FlawCheck A cloud-hosted container registry that hosts Docker containers. It scans containers for vulnerabilities and malware. It is also available in an on-premise version. Vulnerability Advisor IBM Vulnerability Advisory is a capability of IBM Containers on Bluemix. It gives container developers a view into their image security properties and as well as guidance on how images should be improved to meet common sense best practices and upgrade to known industry fixes. Using Vulnerabi