Setting up security scans for container images
Carrying out security scans for container images is a must as it lets teams review & takes actions to fix security issues resulting in more secure deployments.
Since container images are something that keeps on changing while a product is evolving, it makes sense to include these security scans as a part of the deployment pipeline.
Here, we are going to do exactly that. We’ll set up an image scanner inside a CICD pipeline. We are going to use the ‘Anchore’ image scanner to achieve this. The rest of the tech stack will be based on Kubernetes.
These are the steps that we are going to use.
1. Create a Kubernetes cluster.
2. Create a Jenkins server.
3. Create an Anchore engine.
4. Connect Anchore engine to Jenkins.
5. Verify the setup by scanning an image.
Let’s start.
Step 1: Create a Kubernetes cluster.
- You can use minikube or create an entirely new cluster on any cloud. I am going to use a Terraform script to deploy an EKS cluster on AWS.
- You can refer to this GitHub repository for the Terraform script: https://github.com/shishirkh/kubernetes-cluster-terraform-aws
Step 2: Create a Jenkins server.
- To keep things simple and fast, let us use a helm chart to start a Jenkins server inside our Kubernetes cluster.
- Use the below commands.
helm repo add jenkins https://charts.jenkins.io
helm repo update
helm install jenkins jenkins/jenkinsStep 3: Create an Anchore engine.
- Again, we can use helm charts to quickly deploy the Anchore engine. Use the below commands.
helm repo add anchore https://charts.anchore.io
helm search repo anchore
helm install anchore anchore/anchore-engine- Use the below commands to try out anchore from its CLI.
Add an image to be analyzed:
anchore-cli image add node:12-alpineList images and see the analysis status:
anchore-cli image listWhen the image reaches 'analyzed' state, to view:
anchore-cli evaluate check node:12-alpineList CVEs found in the image with:
anchore-cli image vuln docker.io/node:12-alpine osList OS packages found in the image with:
anchore-cli image content docker.io/node:12-alpine osList files found in the image with:
anchore-cli image content docker.io/node:12-alpine files
- Until now, we have verified that anchore is working correctly. Now we have to implement it as part of our delivery pipelines.
Step 4: Connect Anchore engine to Jenkins.
- Inside Jenkins server, go to Manage Jenkins -> Manage Plugins -> Available Tab. And install the ‘Anchore Container Image Scanner’ plugin.
- Create a sample job and add “Anchore Container Image Scanner” as a build step.
- Add the Anchore Engine URL as ‘http://anchore-anchore-engine-api.default.svc.cluster.local:8228/v1/’ (modify it according to your deployment settings)
- Add the Credentials for Anchore.
Step 5: Verify the setup by scanning an image.
- Add the following in an ‘Execute Shell’ build step.
echo "hello world"
echo "node:11-alpine" > anchore_images- This means that Jenkins is going to send this image name to anchore engine, which would analyze it and find security flaws and then report the same back to Jenkins.
- Execute the job to verify.
If Anchore finds any severe security flaws it would instruct Jenkins to mark the job as fail. Check out the Anchore report to know about the security flaws.
Sample screenshots are given below:
That’s all!
Say hi @ https://www.linkedin.com/in/shishirkhandelwal/ for more!
Happy learning! Keep exploring!
