Container Security Scanning
Modern container security requires a comprehensive approach that integrates security scanning throughout the container lifecycle, from development to runtime.
Multi-Layer Container Security
1. Base Image Scanning
# GitHub Actions Example
name: Base Image Scan
on:
schedule:
- cron: '0 0 * * *' # Daily scan
workflow_dispatch:
jobs:
scan-base-images:
runs-on: ubuntu-latest
steps:
- name: Scan Ubuntu base image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ubuntu:22.04'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
2. Build-Time Security
Azure DevOps Pipeline
trigger:
- main
variables:
containerRegistry: 'production.azurecr.io'
imageRepository: 'myapp'
tag: '$(Build.BuildNumber)'
stages:
- stage: SecurityScan
jobs:
- job: ContainerScan
steps:
- task: Docker@2
inputs:
command: build
dockerfile: '**/Dockerfile'
tags: |
$(tag)
latest
- task: ContainerScan@0
inputs:
imageName: '$(containerRegistry)/$(imageRepository):$(tag)'
scanType: 'vulnerability'
severityThreshold: 'CRITICAL'
- task: Snyk@1
inputs:
command: container test
dockerImageName: '$(containerRegistry)/$(imageRepository):$(tag)'
monitorWhen: always
failOnIssues: true
Advanced Scanning Features
1. SBOM Generation
# Syft SBOM Generation
steps:
- task: Bash@3
inputs:
script: |
syft $(containerRegistry)/$(imageRepository):$(tag) \
-o spdx-json \
--file sbom.json
# Validate SBOM
grype sbom:./sbom.json \
--fail-on high \
--config grype.yaml
2. Runtime Security Policies
# Kubernetes Security Policies
apiVersion: security.kubernetes.io/v1beta1
kind: SecurityProfile
metadata:
name: restricted-containers
spec:
restrictedCapabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Automated Security Gates
1. Quality Gates Configuration
security_gates:
container_scan:
critical_vulnerabilities: 0
high_vulnerabilities: 3
medium_vulnerabilities: 10
compliance:
- cis_benchmark
- pci_dss
sbom_validation: required
signing_required: true
2. Policy Enforcement
# OPA/Conftest Policy
package container
deny[msg] {
input.type == "Container"
not input.spec.securityContext.runAsNonRoot
msg = "Containers must not run as root"
}
deny[msg] {
input.type == "Container"
not input.spec.securityContext.readOnlyRootFilesystem
msg = "Root filesystem must be read-only"
}
Continuous Monitoring
1. Runtime Threat Detection
# Falco Rules Configuration
- rule: Unauthorized Container Image
desc: Detect containers not from approved registry
condition: >
container.image.repository != "production.azurecr.io/*"
output: Unauthorized container image (user=%user.name %container.image)
priority: CRITICAL
tags: [runtime, container]
2. Security Metrics
# Prometheus Metrics
- name: container_vulnerabilities_total
help: Total number of container vulnerabilities by severity
type: gauge
labels:
- severity
- image
- registry
- name: container_compliance_score
help: Container security compliance score
type: gauge
labels:
- image
- benchmark
Integration with DevSecOps Tools
1. Vulnerability Management
# Vulnerability Management Integration
vulnerability_tracking:
providers:
- name: defectdojo
api_url: https://defectdojo.internal
product_name: container-security
- name: security_hub
region: us-west-2
findings_filter:
ProductName: container-scanning
SeverityLabel: CRITICAL
2. Security Notifications
# Security Alert Configuration
notifications:
channels:
slack:
channel: security-alerts
triggers:
- new_critical_vulnerability
- compliance_violation
email:
recipients: [security-team@company.com]
triggers:
- weekly_security_report
- critical_security_event
Best Practices
1. Container Build Security
Use minimal base images
Multi-stage builds
No secrets in images
Pin dependency versions
Regularly update base images
2. Runtime Security
Implement pod security standards
Use network policies
Enable audit logging
Implement admission controllers
Regular security assessments
3. Supply Chain Security
Sign container images
Verify image signatures
Generate and verify SBOMs
Use trusted registries
Implement image promotion policies
Compliance Requirements
1. Container Compliance Standards
compliance_requirements:
- standard: CIS_DOCKER_BENCHMARK
version: "1.3.1"
controls:
- "4.1" # Image Build
- "4.2" # Runtime
- "4.3" # Network
- "4.4" # Storage
- standard: PCI_DSS
version: "4.0"
controls:
- "6.2" # Security Patches
- "6.4" # Change Control
- "10.2" # Audit Logging
2. Audit Requirements
audit_configuration:
retention_period: 365d
audit_events:
- container_launch
- image_pull
- security_violation
audit_trail:
- timestamp
- user
- action
- resource
- result
Conclusion
Container security scanning in CI/CD pipelines requires:
Comprehensive Coverage
Base image scanning
Build-time security
Runtime protection
Supply chain security
Automation
Automated scanning
Policy enforcement
Continuous monitoring
Automated remediation
Integration
DevSecOps tools
Compliance frameworks
Security monitoring
Incident response
Documentation
Security policies
Compliance requirements
Incident procedures
Best practices
Remember to regularly update security tools and policies to address new container security threats and vulnerabilities.
Last updated