Containers

Containers are great... but you must secure them!

About

Containers have revolutionized the way applications are developed, deployed, and managed. They provide a lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, a runtime, system tools, system libraries, and settings. Containers are portable across different platforms and they offer a consistent environment, which is a major advantage for developers and system administrators.

Nevertheless, a container is not "secure by itself"... a container include code binaries, configuration files, dependencies, the host environment, network configurations... Each of these can cause an attack surface [1].

Container security involves defining and adhering to build, deployment, and runtime practices that protect a Linux container—from the applications they support to the infrastructure they rely on [2].

Best practices

Here are some Container security best practices [1][2][3][4][5]:

Cloud / Registries

Some cloud offerings, related to container image registries and registries services offers vulnerability scanning and assessment:

Tools

inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

Or the dev-sec/docker-baseline project:

inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<docker_id>

Sources

PreviousSecurity Basics NextGit & other VCS

Last updated 1 year ago

Was this helpful?

About

Containers have revolutionized the way applications are developed, deployed, and managed. They provide a lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, a runtime, system tools, system libraries, and settings. Containers are portable across different platforms and they offer a consistent environment, which is a major advantage for developers and system administrators.

Nevertheless, a container is not "secure by itself"... a container include code binaries, configuration files, dependencies, the host environment, network configurations... Each of these can cause an attack surface [1].

Container security involves defining and adhering to build, deployment, and runtime practices that protect a Linux container—from the applications they support to the infrastructure they rely on [2].

Best practices

Here are some Container security best practices [1][2][3][4][5]:

Cloud / Registries

Some cloud offerings, related to container image registries and registries services offers vulnerability scanning and assessment:

: AWS ECR offers scanning and managing software vulnerabilities to meet security requirements.
: Azure offers , which will scan images for vulnerabilities.
: it offers integration to provide vulnerability scanning and metadata storage for containers on Google Cloud.
: supports an automatic feature, which when enabled, automatically scans images when you push them to a Docker Hub repository. Requires a .

Tools

Some are from the , these tools covers "Containers":

: Container and Kubernetes security that helps developers and DevOps find and fix vulnerabilities throughout the SDLC — before workloads hit production.
(included in ): a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.
: Qualys Container Security allows you to discover, track and continuously secure containers – from build to runtime. It provides deep visibility across on-premise container environments and managed containers across multiple cloud providers.
Aqua Security - : a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues. One of these targets is container images.
Chef (): an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

For example you can use Inspec with the to asses some Linux common issues:

inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

Or the dev-sec/docker-baseline project:

inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<docker_id>

Checkout the and for more.

: a script that checks for dozens of common best-practices around deploying Docker containers in production.
Anchore : vulnerability scanner for container images and filesystems.
: a smarter Dockerfile linter that helps you build best practice Docker images.
(): container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.
Quay (): is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).
(⚠️): not a scanner itself (but could help), it's a tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.
(⚠️): a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.

Sources

[1]:

[2]:

[3]:

[4]:

[5]:

: AWS ECR offers scanning and managing software vulnerabilities to meet security requirements.

: Azure offers , which will scan images for vulnerabilities.

: it offers integration to provide vulnerability scanning and metadata storage for containers on Google Cloud.

: supports an automatic feature, which when enabled, automatically scans images when you push them to a Docker Hub repository. Requires a .

Some are from the , these tools covers "Containers":

: Container and Kubernetes security that helps developers and DevOps find and fix vulnerabilities throughout the SDLC — before workloads hit production.

(included in ): a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.

: Qualys Container Security allows you to discover, track and continuously secure containers – from build to runtime. It provides deep visibility across on-premise container environments and managed containers across multiple cloud providers.

Aqua Security - : a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues. One of these targets is container images.

Chef (): an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

For example you can use Inspec with the to asses some Linux common issues:

Checkout the and for more.

: a script that checks for dozens of common best-practices around deploying Docker containers in production.

Anchore : vulnerability scanner for container images and filesystems.

: a smarter Dockerfile linter that helps you build best practice Docker images.

(): container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.

Quay (): is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).

(⚠️): not a scanner itself (but could help), it's a tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.

(⚠️): a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.

[1]:

[2]:

[3]:

[4]:

[5]:

🔧

Static Analysis

principle of least privilege

OWASP Docker Top 10 project

overview

D01 - Secure User Mapping

D02 - Patch Management Strategy