This document discusses open-source tools for security and compliance using Docker containers. It introduces Anchore, an open-source tool that allows deep inspection of container images to check for compliance with policies. Anchore performs image scanning, analyzes operating system packages and artifacts, checks for secrets or source code, and validates Dockerfiles. It generates reports on findings and can integrate with DevOps pipelines using plug-ins for notifications and policy enforcement. Anchore is open-source, extensible, and provides both a web interface and command line tools.
5. Several vendors offer image scanning as part of their
solution: registry providers, SDLC infrastructure,
Security solutions, etc.
Typically a secondary feature
that focuses on CVE Scanning
Image Scanning Space
5
6. Image scanning: What’s in that
container?
6
● Application container? Are you sure?
● Simplest: packages and CVEs
● ADD? COPY?
● Dockerfile?
● Gems, NPMs, jars
● id_rsa? .aws/credentials?
7. Analysis and reporting on
operating system packages:
- required packages
- blacklisted packages
- non-official packages
- required package versions
- available updates that address
non-security bugs
Artifacts that should not be present in your
image such as source code, secrets (API
keys, passwords, etc)
Images may contain many 3rd party
components not provided by the operating
system vendor such as
- Node.js NPM,
- Ruby GEMs
- Python PIP
- PERL CPAN
- Java Archives.
Configuration files for the operating system,
middleware and application components
Image configuration such as the Dockerfile
should be validated to ensure that it
complies with best practices and your
corporate standards.
Any element in the image can be checked
including file permissions, presence of
unpackaged files that are not part of
standard packages or libraries.
9. “Compliance”?
Traditional Def
• Externally defined, externally audited
• PCI, HIPAA, etc
General compliance: your org’s requirements
• Driven by your ops and environment requirements
• Best-practices audits and enforcement
Define your criteria and enforce/monitor them
• How image is constructed & final output image
• Block usage or just notify? Your choice
• Integrate where it makes sense for your workflow
• No registry or platform requirements
9
10. Open-Source Analysis and Policy for container images
• Policy-Driven
• Deep inspection of container image
• General framework, not just security
• Only depends on Docker
• github.com/anchore/anchore
Open-Source and Extensible
• Easily add your own scripts to any stage
• Similar to SystemV Init Scripts: drop code in the right place and it just works
Ecosystem monitoring and alerting
• Navigate and keep track of the image ecosystem: online Navigator for UI and notification of public images
Anchore Overview
10
11. Anchore Overview
11
Anchore Navigator:
http://anchore.io
Anchore CLI Tools:
● pip install anchore
● docker run anchore/cli
Jenkins Plugin
Image Discovery
Notifications
Monitor dependent images
Local analysis, policy, gates
Build local db
Local policy enforcement and definition
Public
Registries
13. Gates:
Analysis + Policy
• Use analysis output and gate modules to
define and detect trigger conditions
• Evaluate trigger conditions against user
policy to emit actions (GO|WARN|STOP)
Queries:
Examine analysis data
directly at any time
• Query modules run against the
analysis db only
• Diffs, multi-image queries,
statistics, etc
Anchore Engine Flow
13
Analysis:
Extract Image Metadata and
Data
• Examine the image itself and extract
data like files, pkgs, etc
• Includes Dockerfile analysis
• No actions