Image scanning : tricks and toolkits
A brief about existing tools for image and container scanning.
Hey everyone, in my previous blog, I talked in detail about scanning artifacts through Trivy tool. Let us discuss about some other tools which make the process of image scanning smooth and hassle-free.
- Anchore — It is a free service to let anyone discover and analyze images on public container registries such as DockerHub. User can perform deep inspection and analysis of images including metadata, build data and searchable lists of content including all operating system packages, files and software artifacts such as Ruby GEMs and Node.JS modules. Its key features include :
I. Anchore allows users to perform extremely deep container image analysis to see all the operating system packages, Node.JS modules,RubyGEMs, in fact every file in the image is covered in the analysis.
ii. Detailed security report including Common Vulnerabilities and Exposures (CVEs) can be viewed, allowing the user to see what packages triggered vulnerability alerts and if an update is available.
iii. Images can be marked as favorites to allow fast access to frequently used images.
iv. Anchore-engine has to be installed prior to its use.
v. Important links:
2. Clair — Clair is an open-source project for the static analysis of vulnerabilities in application containers.Important links:
3. Dagda — Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. Important links:
4. BlackDuck — Its key features are:
I. Automatically identifies container images and scans for all known open source vulnerabilities in the cluster.
ii. Uses Black Duck Security Advisories (BDSAs) to provide actionable remediation guidance.
iii. Provides policy management so teams can define and enforce policies around acceptable risk and flag containers in violation.
iv. Continuously monitors for new security disclosures affecting production containers and proactively notifies IT operations teams of the security impact.
v. Important links:
5. JFrog Xray — It is a continuous open-source security and universal artifact analysis tool. Its key features are:
I. With JFrog Xray, you can continuously scan your artifacts and dependencies for security vulnerabilities and license compliance issues. As a universal artifact analysis solution, Xray proactively identifies security vulnerabilities and license risks.
ii. Before manifesting in production, Xray natively integrates with JFrog Artifactory providing visibility in all the artifact metadata, including security status in a single screen.
iii. JFrog Xray database of new vulnerabilities and technologies is constantly expanding, enabling you to make better technical judgments with fewer trade-offs. It checks all your components against its growing database of new vulnerabilities and alerts you to new issues even after the release.
iv. It supports all package types and uses deep recursive scanning to review all underlined layers and dependencies, even those packaged in Docker images and zip files.
v. JFrog Xray also creates a graph of your artifacts and dependencies structure and impact analysis of the vulnerabilities and license issues discovered.
vi. Important links:
6. Sysdig Falco — Sysdig falco is an open source, container security monitor designed to detect anomalous activity in your applications. Falco lets you continuously monitor and detect container, application, host, and network activity.From all in one place, from one source of data, with one set of customizable rules. Important links: https://github.com/falcosecurity/falco
7. StackRox (RedHat) — StackRox includes search capabilities for fast enumeration, filtering, and discovery of vulnerabilities across your entire environment, allowing you to find and address vulnerabilities more quickly. Its important links:
8. Amazon ECR — Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed. See Clair on GitHub : https://github.com/quay/clair
9. TwistCLI (PaloAlto) — The Twistcli images scan function collects information about the packages and binaries in the container image, and then sends it to OpenShift Console for analysis. Data collected by twistcli includes:
I. Packages in the image.
ii. Files installed by each package.
iii. Hashes for files in the image.
After the Console analyzes the image for vulnerabilities, twistcli outputs a summary report. Exits with a pass or fail return value. Scan results can be retrieved in JSON format from the Console using API calls. Important links:
10. Trivy (Aquasec) — Aqua’s cloud-native security platform provides full visibility and control over containerized environments, with tight runtime security controls and intrusion prevention capabilities, at any scale. The platform provides programmatic access to all its functions via an API, for easy integration and automation. Key Features :
I. Scan images for vulnerabilities, secrets, malware and configuration issues
ii. Prevent unapproved images from running in your environment
iii. Machine learning of legitimate container behavior, based on application context.
iv. Container-level firewall maps connectivity and prevents network lateral movement
v. Securely manages container access to ‘secrets’ across environments
11. NeuVector — It can tie vulnerability scanning to the container deployment process. NeuVector integrates with Kubernetes and OpenShift controls to apply security policy before images are allowed to be deployed. Key features:
I. Set whitelist and blacklist rules for images allowed to be deployed
ii. Use criteria such as CVE names/levels, run-as-root, namespace, user, labels to set rules
iii. Integrated with Kubernetes and Red Hat OpenShift admission control webhooks
12. Snyk — To address the container image security problem, Snyk Container provides a range of integrations which import projects into Snyk. These integrations support different workflows for our users and customers. When integrating to a container registry, Snyk pulls the image and detects packages and binaries. This is done to find security vulnerabilities in your container image against the Snyk Vulnerability Database, and to return those security results. Key features:
I. CLI: useful for local investigation, or testing an image you have built.
ii. SCM: Snyk can detect Dockerfiles directly from Git repositories, and provide recommendations for updating the base image to a less vulnerable one.
iii. CI: can act as a gate, for example breaking the build on new high severity vulnerabilities.
iv. Container registries: useful to test a large number of images, or if you cannot modify lots of CI pipelines.
v. Kubernetes: similar to container registries, but with more context about the running workload Snyk can use to prioritize vulnerabilities or group projects.
13. Vulnerability advisor (IBM) -
I. Scans images for issues.
ii. Provides an evaluation report that is based on security practices that are specific to IBM Cloud Kubernetes Service, which can be used by admission controllers such as Portieris.
iii. Provides recommendations to secure configuration files for a subset of application types.
iv. Provides instructions about how to fix a reported vulnerable package or configuration issue in its reports.
v. Applies exemptions to reports at an account, namespace, repository, or tag level to mark when issues that are flagged do not apply to your use case.
vi. In the IBM Cloud Container Registry dashboard, the Policy Status column displays the status of your repositories. The linked report identifies good cloud security practices for your images.
14. Harbor —
Harbor is an open-source and trusted cloud native registry that provides security policies and role-based access control (RBAC). It stores, signs, and scans docker images for vulnerabilities. It can be installed on a Kubernetes cluster or any other system which supports Docker. Key features:
i. Easily deployable using Docker Compose
ii. Provides security and vulnerability analysis
iii. Multi-tenant content signing and validation
iv. Identity integration and role-based access control
v. Extensible API and User Interface
vi. Image replication between instances
vii. Supports LDAP/AD and OIDC for user management and user authentication
15. Qualys —
Qualys container security is a tool used to discover, track, and continuously protect container environments. It scans for vulnerabilities inside images or containers in the DevOps pipeline and deployments on cloud or on-premise environments.
Qualys provides a free version of the container security application to give users a glimpse of what it can offer. It gives you a view of images and containers running in the environment. If you want to scan them, you need to take their paid subscription.
It also provides runtime security for containers by giving function level firewall for containers. It gives in-depth visibility into container behavior and protects the image and running containers using Qualys CRS (container runtime security) layer.
Some comparisons to judge and decide better among these are :
Also, Anchore and Clair provide a complete solution for scanning registries and repositories as new images are pushed. Dagda can be a bit slow in scanning, but it does the job. And for RHEL-based images, OpenSCAP might integrate well.
These are some existing image scanning tools, which need to be judged upon, according to the use case and ease of environment. If you found this article insightful or of the slightest help, give it a few claps. Feel free to reach out in case of any queries. Happy learning!