Improve Your Container Security with the Aqua MicroScanner for Source-to-Image Builds
We (Arctiq) were incredibly fortunate to have Aqua Security’s Technology Evangelist, Liz Rice, join us at our Container Security event on Friday, October 5th. Do not fret if you missed the event. We recorded the fireside chat with Liz and we are in the process of turning the demos we presented into blogs. This post is about leveraging Aqua’s MicroScanner for image scanning during source-to-image (s2i) pipeline builds and includes the recording of the demo presented at the event.
The demos were built to present how to improve the security of application development within containerized environments by leveraging technology from our partners Aqua Security, Red Hat (OpenShift, Ansible), HashiCorp (Vault) and Microsoft (Azure). Our demo environment consisted of a nine node OpenShift 3.9 cluster which was deployed and configured using Terraform and Ansible on the Azure Cloud. The major components of the cluster included:
- 3 master nodes
- 3 infra nodes
- 3 app nodes
- 1 bastion host (only node with public IP)
- 2 Azure load balancers
The Value of the MicroScanner
Security scanning is a method commonly used to ensure files have not been modified in a malicious way or to identify them as containing a security vulnerability. The Aqua MicroScanner focuses on software packages and checks them against known vulnerability databases like the NVD. The Aqua CSP (commercial solution) takes scanning one step further by leveraging the Aqua Server to identify software packages with vulnerabilities AND validate the configuration and contents of the image are adhering to the defined image assurance policies. Some of those policies include checking:
- Package blacklists
- CVE blacklists
- Required package lists
- Image does not run as root
- Vulnerability score
The MicroScanner is freely available for download and use but without the Aqua Server you only get the vulnerability scanning capabilities.
MicroScanner Use Case for OpenShift
The MicroScanner is intended to be used in environments that support s2i builds, such as OpenShift. The application development features built into OpenShift include automatic instantiation of a Jenkins instance when a Jenkins pipeline configuration (Jenkinsfile) is detected in source repository. Since the build and push stages of a s2i build happen in a single step, the Jenkins scanner plugin or scanner-cli can not be leveraged until the image is pushed to your registry. In order to shift left and put security tooling as close to the developer as possible, it’s ideal that an image does not make it into the registry unless it has already passed a security scan during it’s build.
Securing the Development Pipeline Demo
The following screencast was presented at our Container Security eventto demonstrate how the Aqua MicroScanner can be used to add a powerful security layer which will:
- Automatically scan images during the build stage
- Prevent images from being pushed to registries when failing a security policy
In this demonstration:
- A simple NodeJS weather application is leveraged as the application source code to be built
- A NodeJS s2i builder image is extended with the microscanner functionality
- Performed through extending the NodeJS S2I Dockerfile to include the microscanner binary and scanning step
- A simple build pipeline is utilized to demonstrate 2 configuration scenarios
emptydefault policy permits the microscanner to “succeed” and allows the image to pushed to the registry
- An updated policy that demands the presense of a made-up package named
HardCoreSecurityensures that the microscanner “fails” the step and the image is unable to be pushed into the registry
Without further ado, the MicroScanner with OpenShift S2I screencast…
Interested in learning more or discussing the technology we utilized? We would love to hear from you.