Container Images: The Next Software Supply Chain Concern?
Containers not only provide a mechanism for packaging code in deployable and manageable units, but containers are also a downloadable resource that can speed up infrastructure and app configurations, rapidly creating development environments and deploying code to test and production. Several container libraries are available; Docker Hub is one of the most prominent and widely used. Docker Hub provides official container images that are reviewed and published by the Docker Library Project. Independent software vendors (ISVs) also make use of the Docker Verified Publisher Program and code signing is also available to validate container image publishers.
The recent 2022 Sysdig Cloud-Native Threat Report explored the threat of malicious code hiding inside preconfigured and shared container images. The Sysdig Threat Research Team (TRT) performed an automated analysis of over 250,000 Linux container images available in Docker Hub. The report found 1,777 images that were identified as malicious. The malicious image issues included embedded secrets, proxy avoidance and malicious websites, with cryptomining as the most frequently found issue. SSH and API keys, which can be used by hackers to gain unauthorized access, were also present in images.
Is malicious code in container images something new? No—we’ve seen situations very similar going back to the early days of virtual disk images (VDMKs), which are still in use today. We’ve had over a decade of experience scanning and validating virtual images and most of that experience is applicable to making sure we don’t use container images with malicious content. But there are differences in today’s DevOps-driven, cloud-native world.
We must recognize that software, at all layers of the application and infrastructure stack, changes frequently, through new code and updates to existing software, from both third-party sources and internal changes from our own software teams. The velocity of change is rapidly increasing, reducing the benefits of point-in-time vulnerability and malware scanning. A DevOps, cloud-native approach necessitates that security, including container images, be automated as part of the DevOps workflow pipeline, understanding that change occurs frequently through the creation, testing and deployment of microservices and containerized bits of code. Automation is essential as part of the DevOps workflow pipeline and is critical to delivering secure applications, infrastructure and infrastructure-as-code (IaC).
If you’d like to hear more about container image security, check out Techstrong Research Review, Episode 2.