{"id":849,"date":"2019-07-07T06:42:35","date_gmt":"2019-07-07T04:42:35","guid":{"rendered":"https:\/\/blog.unetresgrossebite.com\/?p=849"},"modified":"2019-10-20T00:17:22","modified_gmt":"2019-10-19T22:17:22","slug":"docker-images-vulnerability-scan","status":"publish","type":"post","link":"https:\/\/blog.unetresgrossebite.com\/?p=849","title":{"rendered":"Docker Images Vulnerability Scan"},"content":{"rendered":"<p>While several solutions exist scanning Docker images, I&#8217;ve been looking for one that I could deploy and use on OpenShift, integrated into my existing CI chain.<\/p>\n<p>The most obvious answer, working with opensource, would be OpenSCAP. Although I&#8217;m still largely working with Debian, while OpenSCAP would only check for CentOS databases.<\/p>\n<p>Another popular contender on the market is Twistlock, but I&#8217;m not interested in solutions I can&#8217;t deploy myself without requesting for &#8220;a demo&#8221; or talking to people in general.<\/p>\n<p>Eventually, I ended up deploying Clair, an open source product offered by CoreOS, providing with an API.<br \/>\nIt queries popular vulnerabilities databases populating its own SQL database, and can then analyze Docker image layers posted to its API.<\/p>\n<p>We could deploy Clair to OpenShift, alongside its Postgres database, using<a href=\"https:\/\/github.com\/faust64\/openshift-coreos-clair\/blob\/master\/clair-persistent.yaml\" target=\"_blank\" rel=\"noopener noreferrer\"> that Template<\/a>.<\/p>\n<p>The main issue I&#8217;ve had with Clair, so far, was that the client, clairctl, relies on Docker socket access, which is not something you would grant any deployment in OpenShift.<br \/>\nAnd since I wanted to scan my images as part of Jenkins pipelines, I would have my Jenkins master creating scan agents. Allowing Jenkins creating containers with host filesystem access is, in itself, a security issue, as any user that could create a Job scheduling agents with full access to my OpenShift nodes.<\/p>\n<p>Introducing Klar. A project I found on GitHub, go-based, that can scan images against a Clair service, without any special privileges, besides pulling the Docker image out of your registry, and posting layers to Clair.<\/p>\n<p>We would build a Jenkins agent re-using OpenShift base image, <a href=\"https:\/\/github.com\/faust64\/docker-jenkins-agent-klar\" target=\"_blank\" rel=\"noopener noreferrer\">shipping with Klar<\/a>.<\/p>\n<p>Having build our Jenkins agent image, we can write <a href=\"https:\/\/github.com\/faust64\/openshift-cd-demo\/blob\/ocp-4.1\/scan-template.yaml\" target=\"_blank\" rel=\"noopener noreferrer\">another BuildConfig, defining a Parameterized Pipeline<\/a>.<\/p>\n<div id=\"attachment_871\" style=\"width: 850px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2019\/10\/devsecops.png\"><img aria-describedby=\"caption-attachment-871\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-871\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2019\/10\/devsecops.png\" alt=\"Jenkins CoreOS Clair Scan\" width=\"840\" height=\"467\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2019\/10\/devsecops.png 840w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2019\/10\/devsecops-300x167.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2019\/10\/devsecops-768x427.png 768w\" sizes=\"(max-width: 840px) 100vw, 840px\" \/><\/a><p id=\"caption-attachment-871\" class=\"wp-caption-text\">Jenkins CoreOS Clair Scan<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>While several solutions exist scanning Docker images, I&#8217;ve been looking for one that I could deploy and use on OpenShift, integrated into my existing CI chain. The most obvious answer, working with opensource, would be OpenSCAP. Although I&#8217;m still largely working with Debian, while OpenSCAP would only check for CentOS databases. Another popular contender on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,12,10,13,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/849"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=849"}],"version-history":[{"count":2,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/849\/revisions"}],"predecessor-version":[{"id":873,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/849\/revisions\/873"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}