DEV Community

Cover image for ๐ŸŽŸ๏ธ Docker image security scan automation with GH issues
adriens for opt-nc

Posted on โ€ข Edited on

3 2

๐ŸŽŸ๏ธ Docker image security scan automation with GH issues

โ˜๏ธ Context

Docker image security is an ever increasing trend. But more than a trend, not achieving a proper pipeline around images security can lead to disasters.

To achieve that we adopted the following strategy :

  • Rely on highly securely maintained images
  • Paying attention to dependency management

Dependency management is managed thanks to DependaBot, and it'as available almost "Out of the Box".

For docker imaged there is some more work.

๐Ÿ‘‰ In this short post you'll see how we implemented a repo-centric and CI driven efficient approach.

๐Ÿ“ Implementation

For docker image scan, we rely on the Container Scan (GitHub Action) maintained by Anchore.

Then we wrapped some CI around it so we can monitor security as part of our daily activities.

โฐ Schedule scans

First, we have scheduled scans. Below our code to scan the latest tag :

name: ๐Ÿ›ก๏ธ Scan Docker image latest ๐Ÿณ

on:
  schedule: ## Schedule the job to run at a particular time.
    - cron:  '0 1 * * 1' ## every monday at 1:00AM
Enter fullscreen mode Exit fullscreen mode

๐Ÿ’ฅ Use severity-cutoff

Next, we need our scheduled task to fail if a critical vulnerability has been discovered.

Image description

Find below severity-cutoff implementation :

jobs:
  scan:
    name: ๐Ÿ›ก๏ธ Scan image latest
    runs-on: ubuntu-latest
    steps:
      - uses: anchore/scan-action@v3
        id: scan
        with:
         image: optnc/domaine-nc-api:latest
         fail-build: true
         severity-cutoff: critical
Enter fullscreen mode Exit fullscreen mode

๐ŸŽซ Create (or update) issue

Next we want to create an issue in case of Scan Action failure (meaning that a critical security issue has been found).

What we want is to get properly tagged issues so we can manage them as part of our daily tasks and produce reporting.

Therefore we :

  • Setup some labels (so it makes filtering easier), eg : security, docker-scan'
  • Get the ref to the latest opened issue that matches these specific label so issues are updated instead of getting tons of issues targetting the same issue everyday
  • Get the scan report and put it in the issue so all elements are available at a single place

Find the code below :

 - name: Create/Update an issue of vulnerabilities ๐Ÿ›ก๏ธ that have been detected
        if: ${{ failure() }}
        uses: actions/github-script@v6
        with:
          debug: true
          script: |
            const { owner, repo } = context.repo;
            const labels = ['security', 'docker-scan', 'Alert : Docker image scan'];

            // rรฉcupรฉration de l'id de la derniรจre issue (si existante)
            const existingIssue = (await github.paginate(github.rest.issues.listForRepo.endpoint.merge({
              owner, repo, state: 'open',labels
            }))).filter(i => i.title.indexOf('Docker image security scan') !== -1)[0];

            // crรฉation ou modification de l'issue
            const body = `Workflow failed for commit ${{github.sha}}.        

            Following vulnerabilities have been detected :
            \`\`\`
            ${{ steps.scan_report.outputs.report }}
            \`\`\`
                `;

            if (existingIssue) {
              github.rest.issues.update({ owner, repo, issue_number: existingIssue.number, body });
            } else {
              github.rest.issues.create({
                owner, repo,
                title : '๐Ÿ›ก๏ธ Docker image security scan failed ๐Ÿ›ก๏ธ',
                body,
                labels
              });
            }
Enter fullscreen mode Exit fullscreen mode

๐Ÿ‘ฎ Enjoy a clean issue

Then you are setup to get very useful issue from your CI :

Image description

๐ŸŽ€ Bonus

Pay good attention to the fact that issue is related to commit which is really useful to follow how the security flaw may have been introduced too :

Image description

๐Ÿ”– Resources

Image of AssemblyAI

Automatic Speech Recognition with AssemblyAI

Experience near-human accuracy, low-latency performance, and advanced Speech AI capabilities with AssemblyAI's Speech-to-Text API. Sign up today and get $50 in API credit. No credit card required.

Try the API

Top comments (8)

Collapse
 
ajeetraina profile image
Ajeet Singh Raina โ€ข

Did you tried Anchore Docker Desktop Extension? With just 1 single command docker extension install anchore/docker-desktop-extension:0.5.0 you can bring up the app. Do try it once.

Collapse
 
adriens profile image
adriens โ€ข

Interesting, but does it exist on Linux ?

Collapse
 
ajeetraina profile image
Ajeet Singh Raina โ€ข

Yes, you can download Docker Desktop for Linux on your system from this link: docs.docker.com/desktop/linux/inst... and then enable Docker Extension.
Follow this link: docs.docker.com/desktop/linux/

Thread Thread
 
adriens profile image
adriens โ€ข

I'll give it a try for sure !

Thread Thread
 
adriens profile image
adriens โ€ข โ€ข Edited

You're right !
alt text for accessibility

Thread Thread
 
ajeetraina profile image
Ajeet Singh Raina โ€ข

You can follow my blog too collabnix.com/a-first-look-at-dock...

Collapse
 
adriens profile image
adriens โ€ข
Collapse
 
adriens profile image
adriens โ€ข

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

๐Ÿ‘‹ Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay