Automating Container scanning

Automating Container scanning

Automating container scanning in your CI/CD pipeline, including container image scanning, is critical for ensuring that your containers are secure, compliant, and free of vulnerabilities. This can be achieved by integrating various tools like Microsoft Defender for Cloud, Microsoft Defender for Containers, and Microsoft Defender Vulnerability Management into your Azure Pipelines or GitHub Actions.

Here’s a comprehensive guide to automate container scanning with Microsoft Defender and other tools, and how to integrate these scanning processes directly into Azure Pipelines or GitHub Actions.

1. Overview of Key Tools and Concepts

Microsoft Defender for Cloud:

1. Security Posture Management:

Defender for Cloud helps monitor and manage the security posture of your Azure resources and Kubernetes clusters. It provides recommendations for improving security and compliance.

2. Run-time Threat Protection:

Protects containers during runtime by monitoring for suspicious activities and alerting when threats are detected.

3. Vulnerability Assessment:

Scans container images for known vulnerabilities and compliance issues before deployment.

Microsoft Defender for Containers:

A subset of Microsoft Defender for Cloud, Defender for Containers provides:

1. Security posture management:

Monitors container environments like Azure Kubernetes Service (AKS) for security configuration and vulnerabilities.

2. Run-time threat protection:

Protects container workloads during runtime.

3. Vulnerability assessment:

Scans container images for vulnerabilities, misconfigurations, and compliance risks.

Microsoft Defender Vulnerability Management:

Provides vulnerability scanning and management across your infrastructure, including Azure and on-prem environments.

Integrates with Microsoft Defender for Cloud to assess vulnerabilities in container images and workloads.

2. Container Scanning in Azure DevOps and GitHub Actions

You can automate container scanning by integrating tools like Microsoft Defender for Cloud and Defender for Containers into your Azure Pipelines or GitHub Actions to ensure that your container images are free of vulnerabilities before deployment.

A. Scanning Container Images in Azure Pipelines

In Azure DevOps, you can integrate vulnerability scanning tasks directly into your pipeline using tasks that interact with Microsoft Defender for Containers and third-party tools.

Here’s how you can integrate the Microsoft Defender for Containers vulnerability assessment into your Azure DevOps pipeline.

Steps to Automate Container Scanning in Azure Pipelines:

1. Ensure Microsoft Defender for Containers is enabled:

• Ensure that Microsoft Defender for Containers is enabled in your Microsoft Defender for Cloud subscription. This will enable image vulnerability scanning and runtime protection for your Azure Kubernetes Service (AKS) and container workloads.

• Go to Microsoft Defender for Cloud > Environment settings > Defender plans > Containers > Enable.

2. Integrate Defender for Containers Image Scanning into Your Pipeline:

You can use Azure DevOps Container scanning tasks or Docker commands to scan the image during the CI/CD process.

Example YAML pipeline with container image scanning:

xxxxxxxxxx
40
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
variables:
8
  containerImageName: 'my-app-image'
9
  registryName: 'myregistry.azurecr.io'
10
steps:
11

12
# Build the Docker image
13
- task: Docker@2
14
  displayName: 'Build Docker Image'
15
  inputs:
16
    command: 'build'
17
    containerRegistry: '$(registryName)'
18
    dockerfile: '$(Build.SourcesDirectory)/Dockerfile'
19
    imageName: '$(containerImageName):$(Build.BuildId)'
20

21
# Scan Docker image for vulnerabilities using Microsoft Defender for Containers
22
- task: AzureCLI@2
23
  displayName: 'Scan Container Image for Vulnerabilities'
24
  inputs:
25
    azureSubscription: 'My Azure Subscription'
26
    scriptType: 'pscore'
27
    scriptLocation: 'inlineScript'
28
    inlineScript: |
29
      az security container image scan ``\
30
        --registry $(registryName) ``\
31
        --image $(containerImageName):$(Build.BuildId) ``\
32
        --subscription $(azureSubscription)
33

34
# Push the image to Azure Container Registry (ACR) after scanning
35
- task: Docker@2
36
  displayName: 'Push Docker Image to ACR'
37
  inputs:
38
    command: 'push'
39
    containerRegistry: '$(registryName)'
40
    imageName: '$(containerImageName):$(Build.BuildId)'

Explanation:

• The first step builds the container image from the Dockerfile.

• The second step uses the az security container image scan command to scan the image for vulnerabilities using Microsoft Defender for Containers.

• The third step pushes the image to Azure Container Registry (ACR) after successful scanning.

3. View Scan Results in Microsoft Defender for Cloud:

After the image is scanned, the results are available in the Microsoft Defender for Cloud dashboard, where you can view vulnerabilities, security recommendations, and compliance issues related to your container images.

B. Scanning Container Images in GitHub Actions

GitHub Actions provides a seamless way to automate container image scanning as part of your CI/CD workflow. You can integrate Microsoft Defender for Containers or use open-source container scanning tools such as Trivy or Aqua Security.

Steps to Automate Container Scanning in GitHub Actions:

1. Enable Microsoft Defender for Containers:

Similar to Azure DevOps, ensure that Microsoft Defender for Containers is enabled for image vulnerability scanning in your Azure Defender for Cloud settings.

2. Configure GitHub Actions Workflow:

Here’s an example of a GitHub Actions workflow file that automates container scanning using Microsoft Defender for Containers:

xxxxxxxxxx
33
1
name: Build and Scan Container Image
2
on:
3
  push:
4
    branches:
5
      - main
6
jobs:
7
  build:
8
    runs-on: ubuntu-latest
9
    steps:
10
    - name: Checkout Code
11
      uses: actions/checkout@v2
12
    - name: Set up Docker Buildx
13
      uses: docker/setup-buildx-action@v1
14
    - name: Cache Docker layers
15
      uses: actions/cache@v2
16
      with:
17
        path: /tmp/.buildx-cache
18
        key: $``{``{`` runner.os ``}``}``-buildx-$``{``{`` github.sha ``}``}
19
        restore-keys: |
20
          $``{``{`` runner.os ``}``}``-buildx-
21
    - name: Build Docker image
22
      run: |
23
        docker build -t my-app-image:$``{``{`` github.sha ``}``}`` .
24
    - name: Scan Docker image for vulnerabilities with Microsoft Defender
25
      uses: azure/security-actions@v1
26
      with:
27
        registry: 'myregistry.azurecr.io'
28
        image: 'my-app-image:$``{``{`` github.sha ``}``}``'
29
        subscription-id: $``{``{`` secrets.AZURE_SUBSCRIPTION_ID ``}``}
30
        resource-group: 'myResourceGroup'
31
    - name: Push Docker image to Azure Container Registry
32
      run: |
33
        docker push myregistry.azurecr.io/my-app-image:$``{``{`` github.sha ``}``}

Explanation:

• The first step checks out the code from the repository.

• The second step sets up Docker Buildx for building multi-platform images.

• The third step caches the Docker layers to speed up the build process.

• The fourth step builds the Docker image.

• The fifth step scans the image for vulnerabilities using Microsoft Defender for Containers.

• The final step pushes the image to Azure Container Registry (ACR).

3. View Scan Results:

After the image is scanned by Microsoft Defender for Containers, the results can be viewed in the Microsoft Defender for Cloud portal. You can also configure alerts to notify your team if high-severity vulnerabilities are detected.

3. Vulnerability Management with Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management provides detailed insights into vulnerabilities in your container images and workloads.

You can automate vulnerability assessment and monitoring through Azure DevOps or GitHub Actions by calling the Microsoft Defender Vulnerability Management API to get vulnerability data and trigger alerts.

4. Integrating Other Container Scanning Tools into Pipelines

In addition to Microsoft Defender for Containers, you can integrate other open-source and third-party tools into your Azure Pipelines or GitHub Actions workflows to scan container images for vulnerabilities:

1. Trivy:

A simple and easy-to-use vulnerability scanner for containers. It can be integrated into CI/CD pipelines to scan Docker images for vulnerabilities.

Example GitHub Action:

xxxxxxxxxx
4
1
- name: Scan Docker image with Trivy
2
  run: |
3
    docker pull my-app-image:$``{``{`` github.sha ``}``}
4
    trivy image --exit-code 1 --severity HIGH,CRITICAL my-app-image:$``{``{`` github.sha ``}``}

2. Clair:

A container security scanner that detects vulnerabilities in container images.

Example GitHub Action:

xxxxxxxxxx
3
1
- name: Scan Docker image with Clair
2
  run: |
3
    clair-scanner --ip 127.0.0.1 my-app-image:$``{``{`` github.sha ``}``}

3. Aqua Security's Trivy or Snyk:

Both tools can scan for container image vulnerabilities and integrate directly into your pipelines.

5. Best Practices for Container Security in Pipelines

1. Use a Layered Approach:

Combine tools like Microsoft Defender for Containers with third-party scanning tools like Trivy to provide multiple layers of security.

2. Automate Security and Compliance Checks:

Incorporate security checks into your CI/CD pipelines to catch vulnerabilities as early as possible.

3. Use Quality Gates:

Fail the build if critical vulnerabilities are detected to prevent insecure code from being deployed.

4. Continuous Monitoring:

Once deployed, continuously monitor your container environments for runtime threats using tools like Microsoft Defender for Containers.

Summary

Automating container security scanning as part of your CI/CD pipeline is a crucial step toward ensuring the integrity and security of your containerized applications.

By integrating tools like Microsoft Defender for Containers and other third-party scanning solutions, you can detect vulnerabilities early, manage compliance, and ensure that your containers are secure before they are deployed into production.

Whether you are using Azure DevOps or GitHub Actions, container security can be effectively automated with these tools, enhancing your security posture and mitigating risks.