Tech With Htunn
  • Blog Content
  • DevSecOps
    • understanding devsecops
    • shift left in devsecops
    • what is the different between SAST and DAST in devsecops?
    • what is software composition analysis (SCA)?
    • what is Software Bill of Materials (SBOM)?
    • dependency scanning in devsecops
    • what is continuous integration in devops?
    • what is continuous delivery and deployment in devops?
    • understanding containerization
    • container scanning in devsecops
  • Data Engineering
    • what is data engineering?
    • Medallion Architecture in Data Engineering
    • understanding DataOps?
    • Difference between ETL and ELT pipeline in Data Engineering
  • IAM
    • what is Identity and Access Management?
    • understanding microsoft graph api
    • what is SCIM in IAM?
    • Different between sp and idp initiated flow in saml?
    • what is the difference between OAuth-2.0 and OIDC?
    • Understanding PKCE in OAuth-2.0?
    • what is SCIM Streaming?
    • what is the meaning of Identity broker?
  • Cloud Architect
    • what is cloud archiect?
    • Understanding even-driven architecture?
    • what is cloud native architecture?
    • what is cloud native application?
    • Understanding web application firewall?
  • SRE
    • what is SRE?
    • Meaning of toil in SRE?
    • what is error budget in SRE?
    • Difference between SLA, SLO and SLI in SRE
    • Understanding MTTR in SRE?
Powered by GitBook
On this page
  1. DevSecOps

container scanning in devsecops

Container scanning in DevSecOps is a security practice that involves analyzing container images for known vulnerabilities. This is crucial because container images often include various software components and dependencies that might have security flaws. By scanning these images, you can identify and mitigate vulnerabilities before deploying containers to production environments.

How Container Scanning Works

  1. Image Analysis: The scanning tool inspects the container image layers to identify the software components and their versions.

  2. Vulnerability Matching: It then compares these components against a database of known vulnerabilities, such as the National Vulnerability Database (NVD).

  3. Reporting: The tool generates a report detailing any vulnerabilities found, including their severity and potential impact.

  4. Remediation: Developers can then update or replace vulnerable components to mitigate the risks.

Example Using Docker and GitLab

GitLab provides built-in support for container scanning as part of its DevSecOps offerings. Here’s how you can set it up and use it:

Setting Up Container Scanning in GitLab

  1. Create a New Project:

    • Sign in to your GitLab account.

    • Create a new project by clicking “New project” on your project list.

    • Select a template that matches your project’s language and package manager.

  2. Add a Dockerfile:

    • Create a Dockerfile for your application. Here’s a simple example for a Node.js application:

      FROM node:18

WORKDIR /usr/src/app

COPY package*.json ./
RUN npm install

COPY . .

EXPOSE 3000
CMD ["node", "app.js"]

  3. Configure the .gitlab-ci.yml File:

    • Add the following lines to your .gitlab-ci.yml file to include the container scanning job:

      stages:
  - build
  - test
  - scan

variables:
  DOCKER_DRIVER: overlay2

build:
  stage: build
  script:
    - docker build -t my-node-app .

test:
  stage: test
  script:
    - docker run --rm my-node-app npm test

container_scanning:
  stage: scan
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_TLS_CERTDIR: ""
  script:
    - docker pull my-node-app
    - docker scan my-node-app
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

  4. Run the Pipeline:

    • Commit the changes and push them to your repository.

    • GitLab will automatically run the pipeline, including the container scanning job.

  5. Review the Results:

    • After the pipeline completes, you can review the results in the Merge Request (MR) security report area or the Security tab in the pipeline.

    • The report will list any vulnerabilities found, along with their severity and suggested remediation steps.

Example Scenario

Imagine you have a Node.js project with a simple Express server. Your Dockerfile might look like this:

FROM node:18

WORKDIR /usr/src/app

COPY package*.json ./
RUN npm install

COPY . .

EXPOSE 3000
CMD ["node", "app.js"]

In your .gitlab-ci.yml file, you include a container scanning job:

stages:
  - build
  - test
  - scan

variables:
  DOCKER_DRIVER: overlay2

build:
  stage: build
  script:
    - docker build -t my-node-app .

test:
  stage: test
  script:
    - docker run --rm my-node-app npm test

container_scanning:
  stage: scan
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_TLS_CERTDIR: ""
  script:
    - docker pull my-node-app
    - docker scan my-node-app
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

This setup ensures that your container image is built, tested, and scanned for vulnerabilities automatically.

Benefits of Container Scanning

  • Early Detection: Identifies vulnerabilities early in the development process, reducing the risk of deploying insecure containers.

  • Automated Security: Integrates seamlessly into the CI/CD pipeline, ensuring continuous security checks.

  • Compliance: Helps meet regulatory and compliance requirements by maintaining a secure container image.

By incorporating container scanning into your DevSecOps practices, you can significantly enhance the security posture of your applications and reduce the risk of security breaches

Previousunderstanding containerizationNextwhat is data engineering?

Last updated 4 months ago