Security is critical for your applications. When using containers, how do you ensure that you reduce the attack surface area? How to be sure that your OS and packages are recent enough and not affected by uncovered vulnerabilities?
Well, if you store your container imagines on Google Cloud Registry, you’ll be happy to learn about this alpha feature: Google Container Registry Vulnerability Scanning. The Container Analysis API supports package vulnerability scanning for images based on Ubuntu, Debian, and Alpine.
Let’s setup the stage
For the purpose of this tip, I created a small container image for running an Apache Groovy script simply printing hello world:
FROM groovy:alpine ADD hello.groovy ./ CMD ["groovy", "hello.groovy"]
I’ve built my image:
$ docker build . -t hello Sending build context to Docker daemon 3.072kB Step 1/3 : FROM groovy:alpine alpine: Pulling from library/groovy 2fdfe1cd78c2: Pull complete 82630fd6e5ba: Pull complete 119d364c885d: Pull complete 287ef2aa8ecb: Pull complete fe31a0044ad1: Pull complete Digest: sha256:60fc6fdb148c2a5c48989d384e56d19bd288151b6d82770bb2f7d42674b9da0f Status: Downloaded newer image for groovy:alpine ---> 34ce9830b507 Step 2/3 : ADD hello.groovy ./ ---> 96a805f80806 Step 3/3 : CMD groovy hello.groovy ---> Running in 78040114c799 ---> 467a80cf4614 Removing intermediate container 78040114c799 Successfully built 467a80cf4614 Successfully tagged hello:latest
And tagged it:
$ docker tag hello gcr.io/docker-vulnerability-scanning/hello
Just to be sure all was fine, I double checked my message was properly printed:
$ docker run -it hello Hello Groovy world!
I enabled the Container Registry API:
I pushed my image to the registry:
$ gcloud docker -- push gcr.io/docker-vulnerability-scanning/hello The push refers to a repository [gcr.io/docker-vulnerability-scanning/hello] 3e84e885bf33: Pushed baeea7770e60: Pushed e2468806cd9c: Pushed 25baa3ba1903: Pushed 5b1e27e74327: Pushed 04a094fe844e: Pushed latest: digest: sha256:0ed6cbc3ec3e3ef6a25ffd4f82c8092ff8ee994f4be89dcbe89fbd33cc842860 size: 1573
Now my image is in Container Registry:
Enabling vulnerability scanning
Note: Since it’s still an alpha service, you’ll have to be whitelisted to be able to enable the API. You can activate the Container Analysis API only if your email address is whitelisted for using this API. If you’re interested in trying this new feature, please join the Container Analysis Users group to be enrolled.
First, we must enable to Container Analysis API, by visiting this URL, and select our Google Cloud project:
Then go to the GCR settings page, enable the vulnerability scanning feature:
After a little while, when the scanner goes through your container images, you should see that it ran its analysis:
If you click on the vulnerability summary, you’ll be able to see the detailed report (in my case, I’m happy, no vulnerabilities were found):
Also, read more about this new alpha feature: Google Container Registry Vulnerability Scanning