SecDevOps | Container Security - matthewfincher/blacksky GitHub Wiki

http://www.twistlock.com/docker-security-resources/

Open Source Tools

Docker Bench for Security

An open-source utility to self-assess docker hosts and containers against the CIS Docker Benchmark

docker run -it --net host --pid host --cap-add audit_control \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security

See Understanding Docker Security And Best Practices

Clair

Vulnerability Static Analysis for Containers

Scan Docker container for vulnerabilities:

  1. Docker pull container to local filesystem

  2. Fire up Clair & wait for vulnerability data auto-update

  3. Use the local image analysis tool to analyze the container

  4. The filesystem of the container image is inspected and indexed.

  5. Vulnerability report is output

OpenSCAP Container Compliance

oscap-docker image-cve <IMAGE_NAME> [--results OVAL.XML [--report REPORT.HTML]]
  1. Attaches to docker image
  2. Determines OS variant/version
  3. Downloads CVE stream applicable to OS
  4. Runs vulnerability scan

Banyan Collector

A framework to peek inside containers

  1. cd ~/github; git clone https://github.com/banyanops/collector.git
  2. Install Go.
  3. Run the following on a Docker Host:
$ go get -u github.com/banyanops/collector/...
$ cd ~/github/collector; sudo COLLECTOR_DIR=$PWD $GOPATH/bin/collector index.docker.io openwhere/clavin

Commercial Products

Twistlock

Purpose-built Container Security for Docker

POC: Brian Lake [email protected] 503-701-7516

  1. Requested development version via phone call and email on 09/21

Black Duck

Secure and manage open source software in applications and containers.

  • Application Security
  • Container Security

POC:

  1. Bill Claflin [email protected] 781-425-4406 || 617-401-9595
  2. Lester Sydney [email protected]
  • Demo scheduled for Friday 09/23 at 1500 EST

Black Duck Hub

$50K annual license + $75K on-premise fee

  • Automatically inventory open source in code
  • Map to known vulnerabilities
  • Manage remediation activities
  • Monitor and alert when new threats are reported

Black Duck Protex

Open source license management product

  • Provides a summary of what’s in code
  • Jenkins Integration
⚠️ **GitHub.com Fallback** ⚠️