Link Search Menu Expand Document
Cloud Adoption Patterns

Registry Vulnerability Scanner

You have a new cloud native application that is based on a container technology (such as docker) and you want to ensure that your image is clean and secured from any vulnerabilities such as malware or known security vulnerabilities. In order to prevent vulnerabilties being deployed into your Container Registry you utilize a Pipeline Vulnerability Scanner to check for vulnerabilities on creation of the image during the CI/CD pipeline.

What if a vulnerability is created post deployment of the image into the Container Registry? How do you ensure that vulnerabilities are detected?

You don’t want to only rely on the Pipeline Vulnerability Scanner to pick up all vulnerabilities in-case the CI/CD pipeline is bypassed and a developer uploads an image directly. Likewise, you don’t want scans to be performed manually but want them to be scanned periodically. You want an image to be scanned not just at a build time just in-case a new vulnerability is discovered post-release

Therefore:

Ensure that your image registry has a vulnerability scanner that will both scan your container image for any known vulnerabilities on upload of your image and at a regular intervals. The vulnerability scan should check public vulnerability databases such as CVE at a minimum.

Using a vulnerability scanner integrated with your image repository increases the overall security of your solution by ensuring that your image is secured from known vulnerabilties.

You should also have a policy that:

  • prevents any unsecured images being deployed into production
  • alerts your devops, SRE or run teams of any vulnerability scans as and when they occur
  • provides a scan report at regular intervals that can be reviewed by your devops, SRE or run teams

Cloud Hosted Image Registries such as Dockerhub, IBM Cloud, and quay.io all contain this capability by default.