open source tools for container security and compliance @docker la meetup 2/13
TRANSCRIPT
![Page 1: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/1.jpg)
Open-Source Tools for Security and Compliance with Docker
Zach Hill Principal Engineer, Anchore Inc.
2/13/2016
![Page 2: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/2.jpg)
Containers require an updated approach
![Page 3: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/3.jpg)
Lots of external inputs
October 2016:6 Billion pulls from Docker HubOver 375,000 public imagesand growing ...
3
![Page 4: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/4.jpg)
Image Scanning
source: https://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf4
![Page 5: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/5.jpg)
Several vendors offer image scanning as part of their solution: registry providers, SDLC infrastructure, Security solutions, etc.
Typically a secondary feature that focuses on CVE Scanning
Image Scanning Space
5
![Page 6: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/6.jpg)
Image scanning: What’s in that container?
6
● Application container? Are you sure?● Simplest: packages and CVEs● ADD? COPY?● Dockerfile?● Gems, NPMs, jars● id_rsa? .aws/credentials?
![Page 7: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/7.jpg)
Analysis and reporting on operating system packages:
- required packages- blacklisted packages- non-official packages- required package versions- available updates that address
non-security bugs
Artifacts that should not be present in your image such as source code, secrets (API keys, passwords, etc)
Images may contain many 3rd party components not provided by the operating system vendor such as
- Node.js NPM, - Ruby GEMs- Python PIP- PERL CPAN- Java Archives.
Configuration files for the operating system, middleware and application components
Image configuration such as the Dockerfile should be validated to ensure that it complies with best practices and your corporate standards.
Any element in the image can be checked including file permissions, presence of unpackaged files that are not part of standard packages or libraries.
![Page 8: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/8.jpg)
Image Signing?
8
necessary < signing < sufficient
![Page 9: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/9.jpg)
“Compliance”?Traditional Def• Externally defined, externally audited
• PCI, HIPAA, etc
General compliance: your org’s requirements• Driven by your ops and environment requirements
• Best-practices audits and enforcement
Define your criteria and enforce/monitor them• How image is constructed & final output image
• Block usage or just notify? Your choice
• Integrate where it makes sense for your workflow
• No registry or platform requirements
9
![Page 10: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/10.jpg)
Open-Source Analysis and Policy for container images• Policy-Driven
• Deep inspection of container image
• General framework, not just security
• Only depends on Docker
• github.com/anchore/anchore
Open-Source and Extensible• Easily add your own scripts to any stage
• Similar to SystemV Init Scripts: drop code in the right place and it just works
Ecosystem monitoring and alerting• Navigate and keep track of the image ecosystem: online Navigator for UI and notification of public images
Anchore Overview
10
![Page 11: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/11.jpg)
Anchore Overview
11
Anchore Navigator: http://anchore.io
Anchore CLI Tools:● pip install anchore● docker run anchore/cli
Jenkins Plugin
Image DiscoveryNotificationsMonitor dependent images
Local analysis, policy, gatesBuild local dbLocal policy enforcement and definition
Public Registries
![Page 12: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/12.jpg)
Why does Open-Source Matter for Security?
12
Trust, but verify
![Page 13: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/13.jpg)
Gates:
Analysis + Policy• Use analysis output and gate modules to
define and detect trigger conditions
• Evaluate trigger conditions against user policy to emit actions (GO|WARN|STOP)
Queries:
Examine analysis data directly at any time• Query modules run against the
analysis db only
• Diffs, multi-image queries, statistics, etc
Anchore Engine Flow
13
Analysis:
Extract Image Metadata and Data• Examine the image itself and extract
data like files, pkgs, etc
• Includes Dockerfile analysis
• No actions
![Page 14: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/14.jpg)
Navigator: anchore.io
![Page 15: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/15.jpg)
CLI: github.com/anchore
![Page 16: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/16.jpg)
INTEGRATED INTO BUILD PIPELINES
16
![Page 17: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/17.jpg)
CI/CD: Jenkins Plugin
![Page 18: Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac16831a28ab33178b6765/html5/thumbnails/18.jpg)
Questions ?
GITHUB.COM/ANCHORE @ANCHORE
ANCHORE.COM
[email protected]#anchore on freenode
ANCHORE.IO