Vulnerability scanning
102 views
Skip to first unread message
Maor Kuriel
Dec 6, 2021, 9:26:26 AM12/6/21
to Distroless Users
Hello to all,
I am working on creating a Vulnerability scanner for container images.
When I work with a standard container image, I look at the install packages in the image and assess their Vulnerability severity,
- For Alpine-based containers, I use apk info -vv command:
docker exec -i <container_id_1> apk info -vv | sort - Debian & Ubuntu - based containers I use dpkg -l command:
docker exec -i <container_id_1> dpkg -l - RHEL, CentOS and Fedora - based containers I use rpm -qa or yum list installed command:
docker exec -i <container_id_1> rpm -qa
docker exec -i <container_id_1> yum list installed
But when I am working with Distroless images, I don't have these components.
Would you please help me with instructions on what is required to scan and how you scan Distroless images for vulnerabilities the right way?
Are there any guidelines on this topic?
Thanks in advance for your help.
Maor Kuriel
Andrew Latham
Dec 6, 2021, 9:35:04 AM12/6/21
to Distroless Users
Maor
To confirm Distroless image layers you can use https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images
To confirm what people put into the images you would need to check the Dockerfile they use to build. Random example showing what is added https://github.com/GoogleContainerTools/distroless/blob/main/examples/python3-requirements/Dockerfile
To confirm what people put into the images you would need to check the Dockerfile they use to build. Random example showing what is added https://github.com/GoogleContainerTools/distroless/blob/main/examples/python3-requirements/Dockerfile
--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/ac8d6855-6353-40d8-8a2f-823518c4f72an%40googlegroups.com.
- Andrew "lathama" Latham -
Maor Kuriel
Dec 6, 2021, 9:56:07 AM12/6/21
to Distroless Users
Hi Andrew,
Thanks for your swift response.
One question, maybe I am missing something... if I have the image locally or on the image registry I will need to run these actions?
Can I scan the image files and do a binary scan?
I am looking for steps that I need to take, e.g. if I am discussing a standard container image: List all the installed packages ( with the commands that I listed in my original message) - > assess each package vulnerability score.
I am looking for steps that I need to take, e.g. if I am discussing a standard container image: List all the installed packages ( with the commands that I listed in my original message) - > assess each package vulnerability score.
Thanks,
Maor
Andrew Latham
Dec 6, 2021, 10:16:00 AM12/6/21
to Distroless Users
Your questions may be answered by reading the README at https://github.com/GoogleContainerTools/distroless/blob/main/README.md
TL;DR; if the container is only 2mb in size there is not much there to even scan.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/90ae11c0-9b9a-445a-ac83-7d739b35a5a2n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages