Multi-dimensional guarantee of container image security

Importance of container safety

As the cloud adoption rate of enterprises continues to increase, more and more enterprises choose to use container architecture in production environments. According to a report released by CNCF in 2020, the proportion of enterprises applying containers in production has increased from 84% last year to 92% in 2021. Gartner predicts that by 2025, 95% of enterprises will be based on cloud native platforms. According to iResearch's "China Container Cloud Market Research Report", 84.7% of Chinese enterprises (43.9% have already used and 40.8% plan to use) have already or plan to use containers in 2020. Similarly, endogenous security in software development will become an important indicator for evaluating the maturity level of DevOps in enterprises. Among teams that have practiced DevOps, 48% [4] value the Security feature the most.

However, due to the agile elasticity, high-density deployment, and open reuse of container applications, users not only enjoy the benefits of cloud native technology, but also have significant security concerns. In 2019, Tripwire conducted a survey of 311 IT security professionals and found that 60% of organizations have experienced container security incidents [5]. Whether it is the Kubernetes cluster intrusion event or the frequent exposure of Docker Hub images containing vulnerabilities and malicious programs, more and more enterprises are paying attention to the best practices of container security.

Alibaba Cloud Container Mirroring Service Enterprise Edition

Alibaba Cloud Container Mirroring Service Enterprise Edition (ACR EE) is an enterprise level cloud native application product management platform that provides secure hosting and efficient distribution capabilities for OCI products such as container mirroring and Helm Chart. In the DevSecOps scenario, enterprise customers can use the ACR cloud native application delivery chain to achieve efficient and secure cloud native application delivery, accelerating innovation iterations for the enterprise. In global multi regional collaboration, business deployment, and GoChina scenarios, enterprise customers can use global synchronization capabilities, while combining with global unified domain names to achieve local retrieval and improve distribution and operation efficiency. In large-scale distribution and AI large image training inference scenarios, enterprises can use ACR P2P distribution or on-demand distribution capabilities to further improve deployment iteration efficiency. View details: https://www.aliyun.com/product/acr

What is an enhanced scanning engine?

The enhanced scanning engine is provided by a deep collaboration between ACR EE and the Cloud Security Center. Compared to the current popular open-source scanning engine versions (Clair et al.), it provides more accurate vulnerability screening capabilities (all vulnerabilities are securely operated by a professional team to ensure effectiveness and significantly reduce false positives). At the same time, ACR EE provides batch scanning and automatic scanning capabilities, supporting scanning ranges of different granularity for namespaces and warehouses, and can provide automated and scaled scanning support for different scene demands. In addition, ACR EE provides event notification capabilities and supports integration with customers' existing DevOps processes.

The current scanning engine supports the following types of scanning risks:

System vulnerabilities: Supports vulnerability identification for common mainstream operating systems and supports one click repair. For example, Linux kernel vulnerabilities, insecure system software packages, insecure Java SDKs, etc.

Application vulnerabilities: Provides a mirror application vulnerability scanning function to scan for vulnerabilities on container related middleware, supporting detection of system service weak passwords, system service vulnerabilities, and application service vulnerabilities. For example, fastjson remote code execution vulnerability, Apache Log4j2 remote code execution vulnerability, Spring Framework remote code execution vulnerability, Apache Hadoop information leakage vulnerability, Apache Tomcat information leakage vulnerability, etc.

Baseline Check: Provides a mirror security baseline check function to scan for baseline security risks in container assets, supports weak passwords, account permissions, identity authentication, password policies, access control, security auditing, and intrusion prevention security configurations for operating systems and services (databases, server software, containers, etc.), and provides detection results and reinforcement suggestions for existing risk configurations. For example, Access Key leakage, unauthorized access, service configuration, etc.

• Malicious Samples: Provides the detection capability of container malicious samples, showcases container security threats in assets, helps you locate the location of malicious samples, facilitates you to repair malicious samples based on their location, and significantly reduces the security risk of using containers. For example, discovering web shell files, self mutating trojans, backdoor programs, etc.

How to enable an enhanced scanning engine?

1. On the Enterprise Edition instance management page, select Security and Trust>Mirror Scan, and click the switch button in the upper right corner to switch the scanning engine to the cloud security scanning engine. As shown in the following figure:

2. Create scanning rules on the mirror scanning page, currently supporting automatic scanning of namespace and warehouse level scanning rules. You can also choose to manually trigger a scan to identify the full risk of inventory images within the rule range. We recommend that you configure scanning event notifications to synchronize the scanning results through pinning, HTTP, or HTTPS after the image scanning is completed.

After creating the scanning rule, click Scan Now to view the status of the scanning task and the final risk status.

4. Click to view details and confirm the security risks of container images from multiple dimensions such as system vulnerabilities, application vulnerabilities, baseline checks, and malicious samples. As shown in the figure below, it can be seen that the recent high-risk vulnerabilities such as Spring included in the image have been analyzed and identified.

5. The nail robot configured at the same time also receives corresponding notifications and alarms (also supports notification through HTTP/HTTPS and other methods).

Cloud native application delivery chain helps enterprises achieve DevSecOps

ACR EE not only supports deep risk identification and repair of container mirroring, but also provides cloud native application delivery chain capabilities, supporting flexible security policies to ensure safer and more efficient product delivery and launch. At the same time, various links in the cloud native application delivery chain can also be integrated and used by your CI/CD processes (such as Jenkins Pipeline, GitLab Runner, etc.).

1. Upgrade the enterprise version instance specification to the advanced version. On the instance overview page, click Cloud Native Delivery Chain>Delivery Chain, and then click Create Delivery Chain. At the security scanning node, set to block the subsequent delivery of container images when a high-risk vulnerability occurs, and optionally delete the original risk image or backup.

2. Within the scope of the delivery chain, automatically push a container image with high-risk risks, which will automatically trigger a security scan and execute security policies to block the deployment of risk images.

3. If there are system vulnerabilities in the image, one click repair can be performed after the delivery chain is blocked

Delivery chain blocked

Check all risk items and click on one click to repair

Wait for the image repair to be completed. By default, a tag will be built after the repair is completed_ Fix the new image at the end and trigger the delivery chain execution again

It can be observed that after the security scan of the repaired image, there are no previous vulnerabilities, and the delivery chain has been successfully executed. At the same time, the risk status comparison between the original image and the repaired image can also be seen on the image version page

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00

phone Contact Us