docker security scanning (docker austin meetup on 5/17)
TRANSCRIPT
Docker Security ScanningProject formerly known as Nautilus
Nautilus backstory courtesy of crate.io blogpost
Docker named its security project originally after the Nautilus, an old marine mollusk that lives in a spiral shell. It has up to ninety tentacles probing its environment. The shell comprises of a sequence of confined chambers that relate to the layered components of a Docker image.
Yes, we are that deep.
What Is Docker Security Scanning (formerly known as Project Nautilus)?● Image scanning and vulnerability detection
○ Binary Vulnerability Scanner■ Upload your image, we do binary scanning of all components
● A lot more than just a dpkg -l joined to a CVE database● Finds all statically-linked libraries
■ Show all the vulnerabilities in each component■ Handles backports - CVE 2016-abc-123 is backported to glibc 2.19-18+deb8u4■ Licensing information■ Covers all major Linux distros, and Windows
● Continued Vulnerability Monitoring ○ Notifications of newly discovered vulnerabilities○ Find all affected repo owners, send them email ○ Prevents people from canceling since new vulns are always coming
■ Last week was “patch Tuesday” every day, for example
How Security Scanning Works
API
ScannerCVE
Scanningvalidation
service
Docker Security Scanning
Scan Trigger
Plugin Fram
ework CVE
DatabasesNIST, MitreDatabase BOM
Notifications
Push image
Docker CloudPrivate repos
Signer
Notary
Notifications Processor
Codenomicon
Official Images
Remediation Strategies● Move to a cleaner base
○ For example Alpine is a much smaller footprint and has a lot less vulnerabilities
○ Sometimes a similar base layer may be cleaner
■ For a while, debian:jessie was cleaner than ubuntu
● Upgrade your components if they have been patched
○ openssl, openssh, libgc, imagemagick, have all been fixed last week
● Use Official Images
○ Docker works with upstream publishers to resolve all known vulnerabilities
Future Features● Integration with DTR (on prem repos)
● Build pipelines
○ Pass scans with some threshold of CVEs, then sign, then push somewhere else○ Become part of bigger rule-based security pipeline○ Add a test for license compliance - ie no GPL in proprietary code
● Suggest which updated component version to use
○ We may have scanned a different version that is cleaner
● Hooks to build/deploy images when some CVE is fixed
○ New CVE discovered○ Upstream library is fixed○ Scan passes, CVE is fixed○ Build a new image and deploy
Basic Questions1. Support for orgs?
- Generally available with Docker Cloud supported orgs
- Testing workarounds to support orgs in process
2. Public Repos?
- Will have free scanning of public repos eventually, within a few months +/-
3. Which CVE databases do we work with?
- All the major ones: NIST NVD, Mitre, others
- Read from major distribution advisories for CVE backports
4. Does it support Windows?
- Not as well as Linux, but yes it does
5. Can I have it on my repos?
- Soon !