Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
0 likes330 views
>>Read the blog post & watch the webinar here: https://codefresh.io/security-testing/adding-anchore-container-image-scanning-to-codefresh-pipeline/ In a few short years, containers have drastically changed the IT landscape and have helped drive a DevOps revolution. While containers bring a number of advantages, they also present a number of security challenges. These include the lack of support for containers by traditional IT tools and the lack of container experience in operations and security personnel. With container images becoming an ever more regular part of the development lifecycle, security should be woven into an automated pipeline with standardized best practices for testing. In this webinar, we will discuss how you can integrate tools like the open-source Anchore Engine into your Codefresh pipeline to automate image scanning and policy management & achieve a better security and compliance stance when building containers.
![{
“id”: “48e6f7d6-1765-11e8-b5f9-8b6f228548b6”,
“name”: “Example Policy”,
“rules”: [
{
“action”: “STOP”,
“gate”: “dockerfile”,
“id”:“ce7b8000-829b-4c27-8122-69cd59018400”,
“params”: [
{
“name”: “ports”,
“value”: “22”
}
]
}
]
Example
Policy](https://image.slidesharecdn.com/anchore-codefreshwebinar-181221202607/85/Adding-Container-Image-Scanning-to-Your-Codefresh-Pipelines-with-Anchore-8-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to Adding Container Image Scanning to Your Codefresh Pipelines with Anchore (20)
Ad
More from Codefresh (20)
Ad
Recently uploaded (20)
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
- 1. Adding Container Image Scanning to your Codefresh Pipelines with JEREMY VALANCE
- 3. Agenda ● Introduction ● Container Security Models ● Scanning with Anchore in a CodeFresh Pipeline ● Live Demo ● Q&A
- 4. What should a container security model look like? Container Security ● Should involve securing all pieces of the container lifecycle (image, registry, container runtime, and host). ● Mandatory image scanning step in CI/CD process. ● “Shift left” to catch vulnerabilities early in the development lifecycle. ● Methods and tooling for notifications and remediation are available when vulnerabilities are found within a container image.
- 5. Why do we need to scan images?Container Security ● Container images greatly increase speed of development and release. ● Images are static archive files that include all components to run a given app or service. ● Libraries and components within the image may contain vulnerabilities. ● If not scanned, images with vulnerable packages can make their way into production environments. ● Developers may accidentally leave secrets or credentials within images. ● Image metadata and Dockerfiles may contain sensitive configurations like unused exposed ports or running as a root user.
- 6. What does container image scanning do?Container Security ● Anchore analysis tools will inspect container images and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts. ● Policies rules can be created to govern security vulnerabilities,, configuration file contents, secrets, manifest changes, exposed ports or any user defined checks. ● Image scanning is focused on gaining a deep understanding of the contents of the images, and does not scan proprietary source code.
- 7. How do Anchore policies work?Anchore Policies ● Anchore first analyzes the container image, then conducts a policy evaluation on it. ● Anchore policies are made up of a set of user-defined rules such as: ○ Security vulnerabilities ○ Image manifest changes ○ Configuration file contents ○ Presence of credentials in an image ○ Exposed ports ○ Package whitelists and blacklists ● Policies can be created through API, CLI, or Enterprise UI. ● Policies can be enforced through CI/CD, API or CLI.
- 8. { “id”: “48e6f7d6-1765-11e8-b5f9-8b6f228548b6”, “name”: “Example Policy”, “rules”: [ { “action”: “STOP”, “gate”: “dockerfile”, “id”:“ce7b8000-829b-4c27-8122-69cd59018400”, “params”: [ { “name”: “ports”, “value”: “22” } ] } ] Example Policy
- 9. Scanning with Anchore in a Codefresh pipeline Anchore & Codefresh ● All configuration detailed within codefresh.yml file. ● First step builds image from Dockerfile and pushes to Codefresh registry automatically. ● Second step scans image with Anchore and evaluates the policy rules against the analyzed data. ● Final step (depending on the result of step two), will push the image to Dockerhub.
- 10. How do I use it?Anchore ● Anchore Engine Open Source: https://github.com/anchore/anchore-engine ● Anchore Enterprise: https://anchore.com/enterprise ● Github examples: ○ Image Fail: https://github.com/valancej/node_critical_fail ○ Image Pass: https://github.com/valancej/node_critical_pass
- 11. INTEGRATION See our blog post complete with codefresh yaml at: Codefresh.io/blog https://codefresh.io/blog
- 12. Summary ● Container images should be scanned as a step in CI/CD process. ● Policies should be created and enforced at the CI/CD layer to increase confidence in deployments.
- 13. Schedule a 1:1 with our DevOps Experts -and- Sign up for FREE! 120 builds/month Q ? Codefresh.ioAnchore.com Get the open source at anchore.com/opensource
- 14. See our upcoming Codefresh Live events at: codefresh.io/events T Y