Container Images

Best Practices For Securing Container Images

^{Containers allow for packaging and shipping apps in a standard way. They make it easy to scale up/ tear down environments with variable workloads.}

What actions can one take to remediate vulnerabilities discovered in a container image ?

• Prerequisites:
  • linux
  • docker
  • trivy

1. Scan Container Images

• Install Trivy

If using Ubuntu, can follow these steps to install trivy: 

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | >sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release >-sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

• Create/Make a directory either in the root directory, and change to it. In the new directory, create a dockerfile following these steps:

  $ cat << 'EOF' > Dockerfile
$ FROM debian:10.0
$ RUN apt-get -y install bash
$ ADD ./myfile.tar /tmp
$ EXPOSE 22
$ EOF

• Make another directory archive with a text file

$ mkdir archive
$ echo this is some text > ./archive/file.txt
$ tar cvf myfile.tar archive

• Build the dockerfile

$ docker build -t mytestimage:0.1 ./ -f Dockerfile

• Start Docker

$ sudo service docker start

• Scan with trivy, Check to find images:

  $ docker images

  Scan:

  $ trivy image mytestimage:0.1 

  where  mytestimage  is the repository and  0.1  is the tag.

  Can also scan and create an output file:

  $ trivy i -f json -o mytestimage:0.1.json mytestimage:0.1

reference url: None
published at: May 23, 2022, 9 a.m.

Post Category: Cloud , Development