Container Security Scanning
Modern container security requires a comprehensive approach that integrates security scanning throughout the container lifecycle, from development to runtime.
Multi-Layer Container Security
1. Base Image Scanning
# GitHub Actions Example
name: Base Image Scan
on:
schedule:
- cron: '0 0 * * *' # Daily scan
workflow_dispatch:
jobs:
scan-base-images:
runs-on: ubuntu-latest
steps:
- name: Scan Ubuntu base image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ubuntu:22.04'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
2. Build-Time Security
Azure DevOps Pipeline
trigger:
- main
variables:
containerRegistry: 'production.azurecr.io'
imageRepository: 'myapp'
tag: '$(Build.BuildNumber)'
stages:
- stage: SecurityScan
jobs:
- job: ContainerScan
steps:
- task: Docker@2
inputs:
command: build
dockerfile: '**/Dockerfile'
tags: |
$(tag)
latest
- task: ContainerScan@0
inputs:
imageName: '$(containerRegistry)/$(imageRepository):$(tag)'
scanType: 'vulnerability'
severityThreshold: 'CRITICAL'
- task: Snyk@1
inputs:
command: container test
dockerImageName: '$(containerRegistry)/$(imageRepository):$(tag)'
monitorWhen: always
failOnIssues: true
Advanced Scanning Features
1. SBOM Generation
# Syft SBOM Generation
steps:
- task: Bash@3
inputs:
script: |
syft $(containerRegistry)/$(imageRepository):$(tag) \
-o spdx-json \
--file sbom.json
# Validate SBOM
grype sbom:./sbom.json \
--fail-on high \
--config grype.yaml
2. Runtime Security Policies
# Kubernetes Security Policies
apiVersion: security.kubernetes.io/v1beta1
kind: SecurityProfile
metadata:
name: restricted-containers
spec:
restrictedCapabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Automated Security Gates
1. Quality Gates Configuration
security_gates:
container_scan:
critical_vulnerabilities: 0
high_vulnerabilities: 3
medium_vulnerabilities: 10
compliance:
- cis_benchmark
- pci_dss
sbom_validation: required
signing_required: true
2. Policy Enforcement
# OPA/Conftest Policy
package container
deny[msg] {
input.type == "Container"
not input.spec.securityContext.runAsNonRoot
msg = "Containers must not run as root"
}
deny[msg] {
input.type == "Container"
not input.spec.securityContext.readOnlyRootFilesystem
msg = "Root filesystem must be read-only"
}
Continuous Monitoring
1. Runtime Threat Detection
# Falco Rules Configuration
- rule: Unauthorized Container Image
desc: Detect containers not from approved registry
condition: >
container.image.repository != "production.azurecr.io/*"
output: Unauthorized container image (user=%user.name %container.image)
priority: CRITICAL
tags: [runtime, container]
2. Security Metrics
# Prometheus Metrics
- name: container_vulnerabilities_total
help: Total number of container vulnerabilities by severity
type: gauge
labels:
- severity
- image
- registry
- name: container_compliance_score
help: Container security compliance score
type: gauge
labels:
- image
- benchmark
Integration with DevSecOps Tools
1. Vulnerability Management
# Vulnerability Management Integration
vulnerability_tracking:
providers:
- name: defectdojo
api_url: https://defectdojo.internal
product_name: container-security
- name: security_hub
region: us-west-2
findings_filter:
ProductName: container-scanning
SeverityLabel: CRITICAL
2. Security Notifications
# Security Alert Configuration
notifications:
channels:
slack:
channel: security-alerts
triggers:
- new_critical_vulnerability
- compliance_violation
email:
recipients: [security-team@company.com]
triggers:
- weekly_security_report
- critical_security_event
Best Practices
1. Container Build Security
- Use minimal base images
- Multi-stage builds
- No secrets in images
- Pin dependency versions
- Regularly update base images
2. Runtime Security
- Implement pod security standards
- Use network policies
- Enable audit logging
- Implement admission controllers
- Regular security assessments
3. Supply Chain Security
- Sign container images
- Verify image signatures
- Generate and verify SBOMs
- Use trusted registries
- Implement image promotion policies
Compliance Requirements
1. Container Compliance Standards
compliance_requirements:
- standard: CIS_DOCKER_BENCHMARK
version: "1.3.1"
controls:
- "4.1" # Image Build
- "4.2" # Runtime
- "4.3" # Network
- "4.4" # Storage
- standard: PCI_DSS
version: "4.0"
controls:
- "6.2" # Security Patches
- "6.4" # Change Control
- "10.2" # Audit Logging
2. Audit Requirements
audit_configuration:
retention_period: 365d
audit_events:
- container_launch
- image_pull
- security_violation
audit_trail:
- timestamp
- user
- action
- resource
- result
Conclusion
Container security scanning in CI/CD pipelines requires:
- Comprehensive Coverage
- Base image scanning
- Build-time security
- Runtime protection
- Supply chain security
- Automation
- Automated scanning
- Policy enforcement
- Continuous monitoring
- Automated remediation
- Integration
- DevSecOps tools
- Compliance frameworks
- Security monitoring
- Incident response
- Documentation
- Security policies
- Compliance requirements
- Incident procedures
- Best practices
Remember to regularly update security tools and policies to address new container security threats and vulnerabilities.