The Blog

 

Let’s assume you already know about Docker, Kubernetes, Cloud Native technologies, and containers. And that you know how to ensure that your container images are secure – things like not enabling, or even installing, “sshd” into them. Easy things that each of us, as image authors, should be doing regularly anyway and clearly fall into the category of things we need to think about as we build our images.

However, one aspect of image development that we sometimes choose to ignore is the security of the base operating systems that we use in those images. While some images are really minimal (e.g., built on no operating system at all, like when your Dockerfile starts with “FROM scratch”) and while those are great sometimes for speedy downloads, they can be kind of cumbersome if you ever need to debug the running container. Without any kind of operating system, you can’t even “exec” into it and use “sh” to look around and see what’s going on. Whatever the reason, many people do include some kind of operating system in their images. While it’s easy to remember to ensure that the applications we install into those images aren’t exposing any vulnerabilities, how often do you check the security of those base operating systems? How easy is it for you to do so as part of your normal CI/CD pipeline?

Many people upload their container images to public registries for easy access, but not all of those registries offer the ability to scan your images (and in particular, the operating systems) for vulnerabilities. Or if they do scan images, they aren’t always free. Additionally, can you integrate those checks into your development workflow easily?

With those concerns in mind, IBM has just announced a new free service that will scan any publicly downloadable container image for vulnerabilities. Yes, for free! Not only that, but you don’t even need to upload those images into IBM Cloud or even log into IBM Cloud to use it. The goal here is to provide something to the community that should be “a given” – security.

Introducing IBM’s Image Scanning Service

IBM’s new Image Scanning Service is available at http://imagescanner.bluemix.net/. It allows you to provide the image name of any publicly available container image and it’ll download it, scan it, and return the results back to you. It also has an easy-to-use web interface, with just a single entry field for the location/name of the image.

After hitting “Submit,” all you need to do is wait and the results will be displayed in a clean and consumable format.

Here’s what you’ll see if you have no issues with an image:

If there are issues with the image, then you’ll see something like this:

The example above lists all known vulnerabilities and issues that are found in the image. Notice that it contains a brief summary of the problems and a suggestion on how to fix each. Sometimes the issues are related to potentially insecure packages that are being installed, or even a configuration issue that’s been detected.

If you want to invoke the service via your tooling, a simple “curl” command will do the job:

GET http://imagescanner.bluemix.net/scan?image=<imageName>


The results will return in the JSON format and contains all the information you can see from the web interface, plus a little more if you want the gory details. Something like this:

{
  "Progress": "Scan completed: OK",
  "Results": {
    "ID": "2413078b-5662-4ebe-ace1-7d93c33faf54",
    "Scan_Time": 1532786243,
    "Status": "OK",
    "Vulnerabilities": [
      {
        "CVE_Exempt": false,
        "CVE_ID": "CVE-2016-1252",
        "Exempt_Security_Notice_Count": 0,
        "Exempt_Status": "active",
        "Security_Notice_Count": 1,
        "Security_Notices": [
          {
            "Notice": "http://www.ubuntu.com/usn/usn-3156-1",
            "Notice_Exempt": false,
            "Notice_ID": "usn-3156-1",
            "Summary": "An attacker could trick APT into installing altered packages.",
            "Vulnerable_Packages": [
              {
                "Corrective_Action": "Upgrade apt to \u003e= 1.0.1ubuntu2.17",
                "Description": "apt has vulnerabilities",
                "Fix_Version": "1.0.1ubuntu2.17",
                "Installed_Version": "1.0.1ubuntu2.10",
                "Package_Name": "apt"
              }
            ]
          }
        ],
        "Summary": "An attacker could trick APT into installing altered packages.",
        "Total_Security_Notice_Count": 1
      }
    ],
    "Configuration_Issues": [
      {
        "Correct_Action": "",
        "Description": "Enables root login.",
        "Exempt": false,
        "Meta": {
          "keypath": "/etc/ssh/sshd_config/PermitRootLogin",
          "value": "yes"
        },
        "Type": "application_configuration:ssh.PermitRootLogin"
      }
    ]
  }
}


I should also point out one more thing: if you click on the exclamation point icon on the right side of the table from the web interface, you’ll be able to see the raw JSON for that issue. Just in case the brief summary being displayed missed some important information you need.

As you might imagine, some of the images out there are rather large and could take a while to download or scan. If you’re using the API and you encounter a connection timeout, don’t worry. Just re-issue the command and it’ll pick up from where it left off. It won’t start the entire download/scan process all over again!

Behind the scenes, this service uses the same exact IBM Cloud Vulnerability Advisor service that’s available from the IBM private registry. So, while this web interface and API are both in an alpha state, the scanning logic it uses is fully GA ready. I should reiterate the point again that this new service should be fairly reliable to use, but since it is currently in an alpha version right now it’s being offered strictly on an “as-is”, no warranty basis.

So, feel free to test it out and let us know what you think, or if you have any issues. You can reach us on the #ibm-cloud slack channel on the Kubernetes Slack workspace.

Read more about security