Even if you have strong host-level security, infected containers can give attackers a foothold in your system. You can reduce this risk by using Docker Bench and active container vulnerability scanners such as Docker scan (snyk), Grype, Trivy, and Clair. These will help you identify issues in the container, such as outdated dependencies that may be exploited.
Scan Docker local images for vulnerabilities with docker scan
Vulnerability scanning of Docker native images allows developers and development teams to view the security status of container images and take action to fix issues found during the scan, resulting in safer deployments. Docker Scan runs on the Snyk engine and provides users with visibility into the security posture of their local Dockerfiles and local images.
$ docker scan --accept-license --version
Version: v0.16.0
Git commit: e135637
Provider: Snyk (1.809.0)
macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12
Testing postgres: 12...
✗ Low severity vulnerability found in tar
Description: CVE-2005-2541
Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
Introduced through: meta-common-packages@meta
From: meta-common-packages@meta > tar@1.34+dfsg-1
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in apt/libapt-pkg6.0
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
Introduced through: postgresql-12@12.9-1.pgdg110+1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg- keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg- keyring@2018.2 > apt@2.2.4
✗ High severity vulnerability found in perl/perl-base
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
From: perl/libperl5.32@5.32.1-4+deb11u2
From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
and 4 more.
✗ High severity vulnerability found in libgcrypt20
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
and 9 more.
✗ Critical severity vulnerability found in glibc/libc-bin
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2
and 2 more.
Package manager: deb
Project name: docker-image|postgres
Docker image: postgres:12
Platform: linux/amd64
Base image: postgres:12.9-bullseye
Tested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcpVulnerability scanner for container images and filesystems using Grype
Grype is a vulnerability scanner for container images and filesystems. Easily install binaries to try them out. Works with Syft, a powerful SBOM (Software Bill of Materials) tool for container images and filesystems.
Install
recommend
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...or, you can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>brew
brew tap anchore/grype
brew install grypeNote: Currently, Grype is only available for macOS and Linux.
$ grype k8s.gcr.io/kube-scheduler:v1.22.5 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [3 packages]
✔ Scanned image [0 vulnerabilities]
No vulnerabilities found
macpro$ grype postgres:12 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [718 packages]
✔ Scanned image [550 vulnerabilities]
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apt 2.2.4 CVE-2011-3374 Negligible
coreutils 8.32-4+b1 (won't fix) CVE-2016-2781 Low
coreutils 8.32-4+b1 CVE-2017-18018 Negligible
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
libapt-pkg6.0 2.2.4 CVE-2011-3374 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-bin 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-bin 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-bin 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc-l10n 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc6 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc6 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc6 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc6 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc6 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc6 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libgcrypt20 1.8.7-6 (won't fix) CVE-2021-33560 High
libgcrypt20 1.8.7-6 CVE-2018-6829 Negligible
libgnutls30 3.7.1-5 CVE-2011-3389 Medium
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u-2019-19882 Negligible
perl 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-base 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-base 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-modules-5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-modules-5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
tar 1.34+dfsg-1 CVE-2005-2541 NegligibleHardening a Docker image involves scanning it for vulnerabilities, building a new image with additional mitigations, and then using that version as the basis for your application. You need to scan and rebuild images regularly to ensure they contain the latest packages and patches. It is a best practice to incorporate hardening into your image build pipeline.
Remember, container security best practices include more than just the delivered applications and container images themselves. You also need to include a full stack of components for building, distributing, and specifically executing containers.
One of the focuses of cloud-native security is to address container security risks as quickly as possible. Doing so late in the development lifecycle can slow the pace of cloud adoption while increasing security and compliance risks.
发表评论 取消回复