Container Image Security and Scanning¶

This guide focuses on security scanning of dependencies used in container images. This guide does not discuss monitoring of hosting platforms.

Container Image Security and Scanning
TL;DR
Snyk in a Software Development Lifecycle
Scanning from the Command Line
- Examples
- Snyk Config
Scanning as part of CI
Monitoring the Container Registries
Monitoring the Source Code (SCM)
View vulnerabilities
Container Image Security
Using Snyk behind a PROXY
Resources
- Snyk
- Others

TL;DR¶

In your development environment; use Snyk CLI to scan local container images and docker files. Use the Snyk Container Registry integration to monitor container images and manifests. Configure Snyk's notifications and response to detections. Use the Snyk Advisor when assessing base images (and open source libraries)

Snyk in a Software Development Lifecycle¶

Teams have different software development life cycles (SDLC). The following figure illustrate one quite common pattern and could be useful for facilitating discussions.

Snyk in the SDLC

1) Develop on a feature branch - Run tests, build container images, run tests with container images. - Use Snyk Cli to scan open source dependencies in application (Snyk Open Source) - Use Snyk Cli to scan container image and manifest (Snyk Container). 2) Create Pull Request (PR) from feature branch - Run som automated checks which could include Snyk Open Source and Snyk Container - Fail/pass based on own requirements (example: No 'Critical vulnerabilities' with available fix) 3) Merge of PR triggers Continuos Integration (CI) - Build artifacts, execute tests - Use Snyk Cli / Snyk CI Integration to scan artifacts (Open Source, Container) - Fail/pass based on own requirements (example: No 'Critical vulnerabilities' with available fix) 4) CI passing - Push artifacts to package/container registries 5) CD (Continuos Deploy) is triggers - Apply policy checks prior to deploying 6) CD - Deploy to hosting platform 7) Snyk Source Code Monitoring - Scheduled testing of code- and container-manifest (Docker file) - Configure Snyk notification and response (PR's etc.) 8) Snyk Container Registry Integration - Scheduled testing of code image and and container-manifest - Configure Snyk notification and response (PR's etc.)

Scanning from the Command Line¶

Pre-read; The Snyk CLI, Snyk CLI for container security, Snyk CLI reference

Recommendations:

Include Snyk test as part of your local development process (1)
Refer to Dockerfile (if available) to have Snyk suggest recommendations for base images
Use "severity-threshold" to "break builds"

Examples¶

Examples assumes the Snyk CLI is installed, that you have authenticated (Both Snyk and Docker) and that you have an image named "isc-quotes-test"

Scan local container image

shell snyk container test --file=./Dockerfile isc-quotes-test

Scan local container image and application vulnerabilities

shell snyk container test --file=./Dockerfile --app-vulns isc-quotes-test

Scan remote container image (assuming public image on docker hub)

shell snyk container test ubuntu:latest

Scan remote container image, only report critical issues (impacts the exit code)

shell snyk container test --insecure --severity-threshold=critical ubuntu:latest

Scan local container image user the docker client (You will have more opportunities to control the scan process using Snyk - options like debug and insecure)

shell docker scan --file ./Dockerfile isc-quotes-test

Snyk Config¶

shell snyk config --help

Consider turning off analytics?

Scanning as part of CI¶

Snyk has quite a few CI integrations. Many of them will use the The Snyk CLI. You can use the Snyk CLI from any CI and get very granular control. When using the Snyk CLI in a CI you would need to provide an authentication token or similar.

Using the CLI parameters like --severity-threshold and --fail-on together with exit codes will provide a good framework for many scenarios.

The Advanced Snyk Container CLI will provide valuable insight and examples.

Monitoring the Container Registries¶

Letting Snyk monitor your container images, the ones that are deployed from your registry (or from Docker hub - and others) will provide you notification when vulnerabilities are detected in your base image, for many of the packages you install - as well as for the application you have inside the container.

Follow the Getting started with Snyk Container guide to set-up an integration for your Snyk organization.
Add proper credentials
Consider enabling "detect application vulnerabilities". Monitoring the application from both the SCM integration and the Container Registry integration may give unexpected noise, duplicate notification etc.
Add your projects using the Container registration
Remember to visit the project settings and tune options like "Docker file" and "Test & Automated Pull Request Frequency" (Connecting the docker file will enable base image recommendations)

Monitoring the Source Code (SCM)¶

Snyk can assist in container scanning using the source code as well. This scan will obvious not scan the actual container image, but focus on the source, usually the Dockerfile. This container scan is somewhat limited compared to the CLI/Container registry integration.

The SCM integration will scan the Docker file and identify vulnerabilities in the base image. The SCM scan will also provide base image upgrades if available.

View vulnerabilities¶

For projects, please consult the Interpreting Snyk Open Source reports guideline. Please note the following for containers:

Review the base image recommendation if it exist. Test properly if base image is updated.
Review the Image Layer Information for vulnerabilities to identify where the vulnerability is introduced.