Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Service: Container Vulnerability Scanning #203

Open
guacamole opened this issue Oct 21, 2022 · 0 comments
Open

External Service: Container Vulnerability Scanning #203

guacamole opened this issue Oct 21, 2022 · 0 comments
Assignees
@jay-dee7
Labels
enhancement New feature or request P1 P1 label is used for this that we see of highest priority. Critical bugs, security issues, etc
Milestone
IPFS Milestone 2

Comments

@guacamole
Copy link
Member

A container vulnerability scanning service would really compliment OpenRegistry. It really helps to have such service and an option to toggle it on/off. This service can use an existing tool, any once from the following would do:

Grype

Pros - Grype is amazing. It's actively maintained by a security focused company. Default output looks clean as well, plus on the comparison, Grype listed out mode vulnerabilities.

Cons - Doesn't have an HTTP Server/Client model as of now and they don't wish to support it, just to keep the project simple and tight knit

The upside is, extending this would be dead simple and adding HTTP support for it would only take a medium effort (probably a 5-7 days of fulltime work)

➜  grype node:16-alpine
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [230 packages]
 ✔ Scanned image           [4 vulnerabilities]

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
opener  1.5.2                npm   CVE-2021-27478  High
opener  1.5.2                npm   CVE-2021-27482  High
opener  1.5.2                npm   CVE-2021-27498  High
opener  1.5.2                npm   CVE-2021-27500  High

Trivy by AquaSecurity

Pros - Trivy is basically the best tool out there for our use case. It's maintained by arguably the best security company in the container and cloud native space, offers more than container vulnerability scanning like FS, Container Images, AWS, k8s, etc plus has a plugin system to extend the base functionality.
Another very big feature is that they already have an HTTP Server/Client model.

Cons - Didn't detect some vulnerabilities? Grype detected few, as seen above but in case of Trivy, it showed the following for the same container image:

➜  trivy --server http://localhost:8080 image node:16-alpine
2022-10-21T02:19:23.231+0530    INFO    Vulnerability scanning is enabled
2022-10-21T02:19:23.231+0530    INFO    Secret scanning is enabled
2022-10-21T02:19:23.231+0530    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-21T02:19:23.231+0530    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection

node:16-alpine (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jay-dee7 jay-dee7

Labels
enhancement New feature or request P1 P1 label is used for this that we see of highest priority. Critical bugs, security issues, etc
Projects
Containerish Road Map 2023-24
Status: In Progress
Milestone
IPFS Milestone 2
Development

No branches or pull requests
2 participants
@jay-dee7 @guacamole