Skip to content

External Service: Container Vulnerability Scanning #203

New issue
New issue
Open
Open
External Service: Container Vulnerability Scanning#203
Assignees
jay-dee7
Labels
P1P1 label is used for this that we see of highest priority. Critical bugs, security issues, etcenhancementNew feature or request
Milestone
IPFS Milestone 2
@guacamole

Description

@guacamole
guacamole
opened on Oct 21, 2022

A container vulnerability scanning service would really compliment OpenRegistry. It really helps to have such service and an option to toggle it on/off. This service can use an existing tool, any once from the following would do:

Grype

Pros - Grype is amazing. It's actively maintained by a security focused company. Default output looks clean as well, plus on the comparison, Grype listed out mode vulnerabilities.

Cons - Doesn't have an HTTP Server/Client model as of now and they don't wish to support it, just to keep the project simple and tight knit

The upside is, extending this would be dead simple and adding HTTP support for it would only take a medium effort (probably a 5-7 days of fulltime work)

➜  grype node:16-alpine
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [230 packages]
 ✔ Scanned image           [4 vulnerabilities]

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
opener  1.5.2                npm   CVE-2021-27478  High
opener  1.5.2                npm   CVE-2021-27482  High
opener  1.5.2                npm   CVE-2021-27498  High
opener  1.5.2                npm   CVE-2021-27500  High

Trivy by AquaSecurity

Pros - Trivy is basically the best tool out there for our use case. It's maintained by arguably the best security company in the container and cloud native space, offers more than container vulnerability scanning like FS, Container Images, AWS, k8s, etc plus has a plugin system to extend the base functionality.
Another very big feature is that they already have an HTTP Server/Client model.

Cons - Didn't detect some vulnerabilities? Grype detected few, as seen above but in case of Trivy, it showed the following for the same container image:

➜  trivy --server http://localhost:8080 image node:16-alpine
2022-10-21T02:19:23.231+0530    INFO    Vulnerability scanning is enabled
2022-10-21T02:19:23.231+0530    INFO    Secret scanning is enabled
2022-10-21T02:19:23.231+0530    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-21T02:19:23.231+0530    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection

node:16-alpine (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Metadata

Metadata

Assignees

Labels

P1P1 label is used for this that we see of highest priority. Critical bugs, security issues, etcenhancementNew feature or request

Type

No type

Projects

Containerish Road Map 2023-24

Status

In Progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions