Containers are slowly becoming the standardized units of deployment. As containers become more popular, they also become the focus targets for attacking the system via vulnerabilities present in the packages within the image. There are quite a few container vulnerability scanning solutions (example: Clair, Twistlock, Aqua) – however most of them are either commercial or require an elaborate setup, which makes it difficult for individual developers to involve them as part of the container build process.
I found recently that Aqua has introduced a free-to-use tool called Aqua MicroScanner for scanning container images for package vulnerabilities. What makes this even more attractive and easy-to-use is that it doesn’t need any elaborate or predefined server setups – and all that is needed to use this is:
- Get a token from Aqua
- Add the scanner and run it as part of the container build process
If the image contains any packages with vulnerabilities, Aqua will present a summary of the vulnerabilities, the average CVE score as well as a list of the found vulnerabilities.
To get started with Aqua MicroScanner, register for a token
$ docker run --rm -it aquasec/microscanner --register <email address>
With the token available, add it as part of your build process. For example, if we were to check and scan an image based on nginx, the Dockerfile would look like below
RUN apk add --no-cache ca-certificates && update-ca-certificates
ADD https://get.aquasec.com/microscanner .
RUN chmod +x microscanner
RUN ./microscanner <token>
When we build the container with
$ docker build .
The scanner will be executed and will scan the Docker image. The vulnerability found will be displayed as below
"description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause
a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"nvd_score_version": "CVSS v2",
"vendor_score_version": "CVSS v2",
The summary would be like so:
Aqua will stop the build if it finds any vulnerabilities of severity “High” – however, we can pass
--continue-on-failure flag to ignore the High severity issues and continue the build.
I think this tool is really good, especially for small developers – with just few lines of Dockerfile instructions, the developer is able add vulnerability scanning of the images – and combined with CI like that of Gitlab CI/CD Pipelines, it’s a good way of building vulnerability-free container images.
PS: I will be speaking about Container Security at Cloud Native Meetup: Containers & Serverless Deepdive. Do join if interested!