Unlocking the Full Potential of Container Vulnerability Scans
While many security best practices can be integrated into container development processes, such as using minimal base images and signing container images, container vulnerability scanning remains one of the simplest ways to help protect applications running on Kubernetes. Given the complex dependencies of container images, which can rely on other container images with potential vulnerabilities, it is crucial for developers to proactively identify and address container security vulnerabilities before deployment.
A recent GitLab study found that only 26% of the respondents said their organizations are currently using container scanning to enable security in the software development lifecycle. Additionally, 58% of security respondents expressed they have a difficult time getting development to prioritize the remediation of vulnerabilities. More than half the security respondents said security vulnerabilities are mostly discovered by the security team after code is merged into a test environment.
Organizations can enhance their application security posture by making container vulnerability scanning a standard practice for teams building applications hosted on Kubernetes. Container vulnerability scans simplify the process for development teams to proactively identify, understand and address security vulnerabilities associated with application container images before deployment and while running on Kubernetes if new threats are uncovered later.
Scanning During Code Reviews
Container vulnerability scanning is commonly run during a code review to introduce a new feature or address a bug. Traditionally, it is run using a continuous integration (CI) process that builds and scans the application image and reports the vulnerabilities as an artifact or in logs. A scan can be run with each change introduced during this code review process to determine which vulnerabilities may exist with an image, and allow developers to understand, prioritize and address those vulnerabilities.
While integrating container vulnerability scans into the CI process is essential for identifying and addressing container security risks before deployment, it is not sufficient to catch all container vulnerabilities. If scans are dependent on code review CI processes, newly discovered container vulnerabilities may not be identified as early as possible due to inconsistent work on a project. Additionally, only running container vulnerability scans during code reviews can make it difficult to determine where vulnerable containers are actively running in Kubernetes environments.
Running Regular Container Registry Scans
By establishing a regular cadence for scanning container images within their container registry, teams can proactively identify and address newly discovered vulnerabilities. This approach eliminates the dependency on code reviews for container vulnerability scans, ensuring that vulnerabilities are identified quickly. Additionally, it provides visibility into the security risks associated with specific image versions. Most image registries have a feature to scan container images pushed to the registry to help teams stay vigilant of new threats.
Understanding Where Vulnerabilities are Deployed
Running scans regularly enables engineers to urgently address container vulnerabilities, but the remaining challenge is to understand where vulnerable containers are actively running in Kubernetes environments. One option is to scan containers that are running on Kubernetes clusters to help clarify where images need to be redeployed.
These scans should make it clear which environments are affected by particular container vulnerabilities. Understanding where vulnerabilities are deployed across a fleet of Kubernetes clusters can help organizations better understand active security risks and more easily confirm vulnerabilities are being addressed.
Just as container registries can be scanned, some tools can automate the scanning of actively running containers on a regular cadence. A variety of open-source tools, such as Trivy, can simplify the process of running container vulnerability scans in Kubernetes environments. Trivy is a versatile, open-source security scanner that can conduct container vulnerability scans among other scan targets.
Scanning Container References in Configuration
To take container security scans a step further, teams can also scan Kubernetes manifests and infrastructure as code (IAC) that contain references to container images. IAC scans can reveal how the container is configured to run on Kubernetes and can point out misconfiguration issues (for example: Overuse of memory or CPU) as well as security vulnerabilities specific to the Kubernetes configuration. Similar to container vulnerability scanning, IAC scans can be run during CI with code reviews and against Kubernetes clusters where IAC resources are currently deployed.
In addition to Trivy, which also performs scans of IAC files, another open-source tool suited for this purpose is KICS, which helps with identifying container and other IAC vulnerabilities. At GitLab, both Trivy and KICS are used as part of our container vulnerability scanning features and by engineering teams.
Achieving a comprehensive understanding of Kubernetes security is a difficult task, but adding container vulnerability scans at different levels of the development process can help identify security opportunities. These practices enable development teams to proactively identify and address security vulnerabilities earlier in development, streamline the process of alerting teams to new threats and track the progress of reducing known vulnerabilities. By effectively leveraging security scanning tools, organizations can significantly enhance the protection of their Kubernetes infrastructure and business-critical applications.
To learn more about Kubernetes and the cloud native ecosystem, join us at KubeCon + CloudNativeCon North America, in Salt Lake City, Utah, on November 12-15, 2024.
