Catégories : Tous - security - software - integration - vulnerabilities

par Curtis Jones Il y a 2 années

135

Container

The text describes a multi-step process for identifying and managing software vulnerabilities within container images. It starts with identifying installed software, including unmanaged software and packages from various operating systems.

Container

Container

Demo Help

Multiple Layers
User Instructions

THEN Skip user instruction

The container will find the previous instruction and skip

Install X first

Base Image Changes
Security

Debian or Linux flavor

Social Trends
Exploit Maturity
Software Composition Analysis
Operating System vs OSS
For Linux Packages

OS Package manager metadata

Deployments
Cloud
On-Prem

Broker

Base Image Recommendations
Most vulnerabilities are found here
User will get the least vulnerable version
Public Repos
Custom

Personal Registries

Git-Based PR Scanning
Automate PRs automatically

Remediation advice

Dockerfile scanning is less accurate

PreBUILT

Open a Fix PR

Integrate directly in a container registry
Benefit

The container has been BUILT

ACR
ECR
HarborCR
Talk about the CI/CD Pipeline
Choose to ignore "Base Image Vulnerabilities" in the scan
monitor the container within the Snyk UI
Based on gating
LEVERAGE the container CLI (Developer Endpoint)
Mention the container IDE (Limited though)
Talk about the remediation advice from the CLI
Build off of the SDLC Slide

Relative Importance

Distro specific findings
External Information Sources
Amazon Linux
SUSE Linux Enterprise Security Rating Overview
Red Hat Enterprise Linux Severity
Ubuntu CVE Priority
Debian Severity
NVD

Monitoring/Recurring Scans

snyk container monitor :
- Downloads the image if it’s not already available locally in your Docker daemon - Determines the software installed in the image - Sends that bill of materials to the Snyk Service - Returns a list of the vulnerabilities in your image
Results on Snyk can be shared with other members of your team
Interactively filter the results and explore the list of vulnerabilities in your web browser
Snyk will alert you if new vulnerabilities are disclosed that affect your image, without you having to retest it locally
Integration which saves snapshot

File Fingerprinting

OpenJDK
Node.js

Supported OS's

Link Images

Snyk allows you to manually or automatically link from a Dockerfile to all container images built from it.


You can use this to understand the security impact on your running applications, and understand which images can be better secured, or need to be rebuilt, when taking action and updating the Dockerfile base image.

You can get automatic links between imported images (via container registry integration) to existing Dockerfile projects. This is done by checking whether the OCI label in the image matches the path of a Dockerfile that exists in the org in Snyk.

Steps

2. After we have the list of installed software, we look that up against our vulnerability database, which combines public sources with proprietary research.
1. We first find the software installed in the image, including:
Application packages based on the presence of a manifest file.
Popular unmanaged software, ie. installed outside a package manager.
dpkg, rpm and apk operating systems packages.

Layered File Systems

Application package managers, such as npm, pip and RubyGems.
Operating system distributions, such as Debian, Ubuntu or CentOS.

Integrations

Kubernetes: similar to container registries, but with more context about the running workload Snyk can use to prioritize vulnerabilities or group projects.
Container registries: useful to test a large number of images, or if you cannot modify lots of CI pipelines.
CI: can act as a gate, for example breaking the build on new high severity vulnerabilities.
SCM: Snyk can detect Dockerfiles directly from Git repositories, and provide recommendations for updating the base image to a less vulnerable one.
I
Specific Platform

snyk container test --platform=linux/arm64 debian

Direct Test Docker/OCI Archives

snyk container test docker-archive:archive.tar snyk container test oci-archive:archive.tar

If Snyk determines the base image used, and the image uses an Official Docker image, the output includes recommendations for upgrades to resolve some of the discovered vulnerabilities.
Vulnerabilities appear in reverse severity order, so there's less scrolling up to see the most important issues.
If you use a Dockerfile to build your image, you can provide that when running Snyk.

Clearer Recommendations

Provides more Context

snyk container test : --file=Dockerfile

You can use Snyk to test any image that you can pull from a remote registry, or any image you have built locally and made available in your local Docker daemon.

snyk container test :

Install Snyk CLI

snyk container test debian

- Downloads the image if it’s not already available locally in your Docker daemon - Determines the software installed in the image - Sends that bill of materials to the Snyk Service - Returns a list of the vulnerabilities in your image

snyk auth

npm – npm install -g snyk

Create images with security built-in from the start