即使您拥有强大的主机级安全性,受感染的容器也可能使攻击者在您的系统中立足。您可以通过使用 Docker Bench 以及 Docker scan (snyk)、Grype、Trivy 和 Clair 等活动容器漏洞扫描程序来降低这种风险。这些将帮助您识别容器中的问题,例如可能被利用的过时依赖项。
使用 docker scan 扫描 Docker 本地镜像的漏洞
Docker 本地镜像的漏洞扫描允许开发人员和开发团队查看容器镜像的安全状态,并采取措施修复扫描期间发现的问题,从而实现更安全的部署。Docker Scan 在 Snyk 引擎上运行,为用户提供对其本地 Dockerfile 和本地映像的安全状况的可见性。
$ docker scan --accept-license --version
Version: v0.16.0
Git commit: e135637
Provider: Snyk (1.809.0)
macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12
Testing postgres:12...
✗ Low severity vulnerability found in tar
Description: CVE-2005-2541
Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
Introduced through: meta-common-packages@meta
From: meta-common-packages@meta > tar@1.34+dfsg-1
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in apt/libapt-pkg6.0
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
Introduced through: postgresql-12@12.9-1.pgdg110+1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4
✗ High severity vulnerability found in perl/perl-base
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
From: perl/libperl5.32@5.32.1-4+deb11u2
From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
and 4 more.
✗ High severity vulnerability found in libgcrypt20
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
and 9 more.
✗ Critical severity vulnerability found in glibc/libc-bin
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2
and 2 more.
Package manager: deb
Project name: docker-image|postgres
Docker image: postgres:12
Platform: linux/amd64
Base image: postgres:12.9-bullseye
Tested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp使用Grype的容器映像和文件系统的漏洞扫描程序
Grype 是一个针对容器镜像和文件系统的漏洞扫描器。轻松安装二进制文件以进行试用。与 Syft 配合使用,Syft 是用于容器映像和文件系统的强大 SBOM(软件材料清单)工具。
安装
推荐
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...or, you can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>brew
brew tap anchore/grype
brew install grype注意:目前,Grype 仅适用于 macOS 和 Linux。
$ grype k8s.gcr.io/kube-scheduler:v1.22.5 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [3 packages]
✔ Scanned image [0 vulnerabilities]
No vulnerabilities found
macpro$ grype postgres:12 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [718 packages]
✔ Scanned image [550 vulnerabilities]
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apt 2.2.4 CVE-2011-3374 Negligible
coreutils 8.32-4+b1 (won't fix) CVE-2016-2781 Low
coreutils 8.32-4+b1 CVE-2017-18018 Negligible
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
libapt-pkg6.0 2.2.4 CVE-2011-3374 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-bin 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-bin 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-bin 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc-l10n 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc6 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc6 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc6 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc6 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc6 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc6 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libgcrypt20 1.8.7-6 (won't fix) CVE-2021-33560 High
libgcrypt20 1.8.7-6 CVE-2018-6829 Negligible
libgnutls30 3.7.1-5 CVE-2011-3389 Medium
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libkrb5-3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5support0 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libkrb5support0 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2015-3276 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2017-14159 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2017-17740 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2020-15719 Negligible
libncursesw6 6.2+20201114-2 CVE-2021-39537 Negligible
libpcre3 2:8.39-13 CVE-2017-11164 Negligible
libpcre3 2:8.39-13 CVE-2017-16231 Negligible
libpcre3 2:8.39-13 CVE-2017-7245 Negligible
libpcre3 2:8.39-13 CVE-2017-7246 Negligible
libpcre3 2:8.39-13 CVE-2019-20838 Negligible
libperl5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
libperl5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
libsepol1 3.1-1 (won't fix) CVE-2021-36084 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36085 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36086 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36087 Low
libsqlite3-0 3.34.1-3 CVE-2021-36690 Negligible
libssl1.1 1.1.1k-1+deb11u1 CVE-2007-6755 Negligible
libssl1.1 1.1.1k-1+deb11u1 CVE-2010-0928 Negligible
libsystemd0 247.3-6 CVE-2013-4392 Negligible
libsystemd0 247.3-6 CVE-2020-13529 Negligible
libsystemd0 247.3-6 (won't fix) CVE-2021-3997 Unknown
libtinfo6 6.2+20201114-2 CVE-2021-39537 Negligible
libudev1 247.3-6 CVE-2013-4392 Negligible
libudev1 247.3-6 CVE-2020-13529 Negligible
libudev1 247.3-6 (won't fix) CVE-2021-3997 Unknown
libxslt1.1 1.1.34-4 CVE-2015-9019 Negligible
locales 2.31-13+deb11u2 CVE-2021-43396 Negligible
locales 2.31-13+deb11u2 CVE-2021-3998 Unknown
locales 2.31-13+deb11u2 CVE-2021-3999 Unknown
locales 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
locales 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
locales 2.31-13+deb11u2 CVE-2010-4756 Negligible
locales 2.31-13+deb11u2 CVE-2018-20796 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010022 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010023 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010024 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010025 Negligible
locales 2.31-13+deb11u2 CVE-2019-9192 Negligible
locales 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
login 1:4.8.1-1 CVE-2007-5686 Negligible
login 1:4.8.1-1 CVE-2013-4235 Negligible
login 1:4.8.1-1 CVE-2019-19882 Negligible
ncurses-base 6.2+20201114-2 CVE-2021-39537 Negligible
ncurses-bin 6.2+20201114-2 CVE-2021-39537 Negligible
openssl 1.1.1k-1+deb11u1 CVE-2007-6755 Negligible
openssl 1.1.1k-1+deb11u1 CVE-2010-0928 Negligible
passwd 1:4.8.1-1 CVE-2007-5686 Negligible
passwd 1:4.8.1-1 CVE-2013-4235 Negligible
passwd 1:4.8.1-1 CVE-2019-19882 Negligible
perl 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-base 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-base 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-modules-5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-modules-5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
tar 1.34+dfsg-1 CVE-2005-2541 Negligible加固 Docker 映像包括扫描其漏洞、构建具有额外缓解保护的新映像,然后使用该版本作为应用程序的基础。您需要定期扫描和重建映像,以确保它们包含最新的软件包和补丁。将强化合并到您的映像构建管道中是一种最佳实践。
请记住,容器安全最佳实践不仅仅包括交付的应用程序和容器映像本身。您还需要包含用于构建、分发和专门执行容器的完整组件堆栈。
云原生安全的重点之一是尽快解决容器安全风险。在开发生命周期后期这样做会减慢云采用的步伐,同时增加安全和合规风险。
发表评论 取消回复