Docker container security : Docker images vulnerabilites
28 views
Skip to first unread message
ANURAG PATHAK
Jul 23, 2019, 4:55:44 AM7/23/19
to null-...@googlegroups.com
Hello All,
Need your suggestion on docker container/images vulnerability assessment.
How you guys check docker containers or images for vulnerabilities.?
I have tried scanning docker images using SNYK, it reported multiple high/low/medium severity vulnerabilities,my question is how to validate all those vulnerabilities and what should i recommend to client for remediation of these vulnerabilities.
Hope i explained the problem statement clearly.
Regards
Anurag
Nemo
Jul 24, 2019, 3:34:52 AM7/24/19
to null-...@googlegroups.com, ANURAG PATHAK, Nemo
On 7/23/19 1:36 PM, ANURAG PATHAK wrote:
> Need your suggestion on docker container/images vulnerability assessment.
> How you guys check docker containers or images for vulnerabilities.?
>
> I have tried scanning docker images using SNYK, it reported multiple
> high/low/medium severity vulnerabilities,my question is how to validate
> all those vulnerabilities and what should i recommend to client for
> remediation of these vulnerabilities.
1. Check the base images (See `docker history --no-truncate` command)
> Need your suggestion on docker container/images vulnerability assessment.
> How you guys check docker containers or images for vulnerabilities.?
>
> I have tried scanning docker images using SNYK, it reported multiple
> high/low/medium severity vulnerabilities,my question is how to validate
> all those vulnerabilities and what should i recommend to client for
> remediation of these vulnerabilities.
2. See if the vulnerabilities exist on the base images.
3. See if the packages on the container are upgraded in any part of the
pipeline (via a `apt-get update+upgrade` for eg)
4. See if the base images are too old. For eg: ubuntu:14.04 is EoL already.
The validation unfortunately for Docker image scans is quite hard - it
highly depends on the attack surface that your application exposes. For
eg, if your scanner reports a vulnerability in the libmime package
inside the image, and your application never invokes that dependency,
then it is pretty hard to exploit in any way.
However, in certain scenarios - such as when you are running untrusted
code, these can become much more serious. I'd advice going through the
above list and ensuring that your client has a "one-click" way to
rebuild their entire image from scratch (which should include a pull of
the latest base image, run upgrades etc).
As long as you are using a supported base image (one of the official
ones under "library" on Docker Hub for eg) - and run upgrades, most of
these should disappear. For the ones that don't - check with the OS
mailing list/bug tracker to see why it hasn't been patched.
Hope this helps,
Nemo
Reply all
Reply to author
Forward
0 new messages