You're reading for free via Gaurav Agarwal's Friend Link. Become a member to access the best of Medium.
Member-only story
Docker Container Security With Anchore Grype
Run a vulnerability scanner on your container images within CI/CD pipelines
With the advent of the cloud and container orchestrators, containers are becoming more commonplace. Docker is one of the most popular container runtimes that we use, and Docker images are everywhere. However, as it is a relatively new technology — and with the increased focus on shift-left — container security is a hot topic.
Most enterprises focus on runtime container security. However, sometimes the containers themselves have a vulnerability at build time that goes undetected to the untrained eye.
Containers use layers, and most containers are built from third-party base images that are available on Docker Hub. So, even if your code is secure and robust, you might end up deploying something in production that you shouldn’t have deployed because of a vulnerable base image.
Sysadmins usually harden OS images in production to ensure that you run your applications securely. Still, because of shift-left in the container world, this is often overlooked by developers — and we will not blame them. They know how to code well, and they do that. Security was traditionally SecOps’s responsibility, and therefore they are the experts who usually manage that.
DevSecOps focuses on bringing security to the build and release automation level, and there are various tools available to scan for vulnerability early in the development and build cycle. Anchore Grype is one such tool that can help.
Anchore Grype is a container vulnerability scanner that helps you scan your container images for vulnerability using a simple CLI that is easy to install and run. The best part is that you can use this tool within your CI/CD pipelines and fail builds that cross a certain vulnerability threshold.
Now, let’s look at how we can install Anchore Grype.
Installing Anchore Grype
Installing Anchore Grype is simple. Download the latest installer and run that to generate the binary in your system path using the following command:
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/binOnce, Grype is installed, run the following command to verify:
$ grype version
Application: grype
Version: 0.7.0
BuildDate: 2021-01-28T14:03:23Z
GitCommit: 8344b8f0d3f61729cf0845c08b31f26103e21231
GitTreeState: clean
Platform: linux/amd64
GoVersion: go1.14.14
Compiler: gc
Supported DB Schema: 1As we can see, Grype has been successfully installed in our system.
Now, let’s run a vulnerability scan.
Running a Vulnerability Scan
To run a vulnerability scan of a Docker image, use the following command:
grype <image>For example, if we want to run a vulnerability scan of the NGINX image, run the following:
In the response, we get the listed vulnerabilities with their severity. Now let’s use the Grype tool within a CI/CD pipeline.
Using Grype Within a CI/CD Pipeline
We will use GitHub Actions for this activity. The actions will try to run a container build over the NGINX image and then report on the vulnerability as one of the steps before pushing the file to the container registry.
Fork the following GitHub repository for a working example:
https://github.com/bharatmicrosystems/nginx-grype.gitIf you look in the repository, you will see the following Dockerfile:
FROM nginx
RUN echo 'This is a custom nginx image' > /usr/share/nginx/html/index.htmlIt is a simple Dockerfile that takes the NGINX base image and sends “This is a custom nginx image” to /usr/share/nginx/html/index.html. Therefore, if we run this container and access its URL, we will see “This is a custom nginx image” on the homepage.
To build this container, we have the following GitHub Actions workflow file:
The build YAML consists of the following steps:
- Log into Docker Hub — It logs into your Docker Hub account using the
secrets.DOCKER_USERandsecrets.DOCKER_PASSWORDvariables. These variables are sourced from GitHub secrets that we will configure later. - Build the Docker image — It then builds the Docker image using the Dockerfile.
- Run a Grype vulnerability scan — It runs a Grype vulnerability scan on the built image using the failure flag set to high. If we discover any vulnerability that is marked as high or above, then the build should fail.
- Push the Docker image — If everything is good, it will push the Docker image to your Docker Hub registry.
To configure DOCKER_USER and DOCKER_PASSWORD as GitHub secrets, go to your repository on GitHub -> Settings -> Secrets and configure the following two secrets:
DOCKER_USER=Your DockerHub username
DOCKER_PASSWORD=Your DockerHub passwordNow, we’re ready to run the CI/CD pipeline. Go to your code and edit the README file to push a change to the repo. Then go to the Actions tab to see the image being built.
As we can see, the build failed. That's because we found a vulnerability with high severity. We just stopped something nasty from going into production!
You can tweak the container image, remove the package containing the vulnerability, and rebuild the code.
Conclusion
Anchore Grype is a powerful container vulnerability scanner that scans an OCI standard container image for known vulnerabilities. It supports a lot of popular operating systems packages, such as Alpine, Busybox, CentOS / Red Hat, Debian, and Ubuntu, and also popular language-specific packages such as the Ruby Bundler, JARs (Java), NPM/Yarn (JavaScript), Egg/Wheel (Python), and Python pip/requirements.txt/setup.py listings.
Thanks for reading! I hope you enjoyed the article.
