Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
Enterprises have adopted a cloud-native strategy with Kubernetes as the de-facto orchestration engine. The strategy is suited to provide application portability and scalability by abstracting the underneath infrastructure.
Cloud-native platforms require applications delivered in the container image format. These images are deployed across varied application environments like Local, Dev, Staging, UAT, Prod, Recovery, etc. They need an effective strategy to determine and mitigate associated security concerns. Any open vulnerabilities can lead to an unsecured cluster or a compromised application, thereby jeopardizing your customers.
Image scanning is the cornerstone of container security practices. It allows you to classify and categorize CVEs by their severity. Unlike application packages, container images can contain numerous vulnerabilities across many different packages deployed by various teams.
The DevOps team may harden the base images and the associated packages, while each development team can focus on their runtime requirements. Thus container security is a shared responsibility across different teams, so you need a solution that can be well adapted across the enterprise. The cloud-native strategy provides the required solution by creating checks based on the Open Policy Agent (OPA) standard.
OPA is a detailed yet straightforward specification. It can be applied to the different stages of a container's lifecycle for enforcing various practices. In this article, you will work using Trivy, an open source vulnerability scanner, and customize its image scan rules using OPA policies.
If you'd like to follow along with this tutorial on your machine, you'll need to install Trivy on your machine. It supports a single binary which can be download from its release page. Alternatively, you can work with Trivy docker image using the command below :
$ docker run --rm aquasec/trivy:0.18.3 --version
Version: 0.18.3
Trivy binary does not include the vulnerabilities list. Instead, it downloads a list of known vulnerabilities, from an upstream git repository, on execution. The approach allows Trivy to keep the vulnerabilities knowledge up-to-date. It caches the vulnerability data, for about 6 hours, on disk so that subsequent operations can be performed quickly. The ephemeral nature of the Docker container discards this cache. You must bind a volume to persist the cache for subsequent operations.
$ docker run --rm -v $PWD/Caches:/root/.cache/ aquasec/trivy:0.18.3 python:3.4-alpine
2021-07-05T12:21:43.211Z INFO Detecting Alpine vulnerabilities...
2021-07-05T12:21:43.225Z INFO Number of PL dependency files: 0
2021-07-05T12:21:43.225Z WARN This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T12:21:43.225Z WARN The vulnerability detection may be insufficient because security updates are not provided
python:3.4-alpine (alpine 3.9.2)
================================
Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat | CVE-2018-20843 | HIGH | 2.2.6-r0 | 2.2.7-r0 | expat: large number of |
| | | | | | colons in input makes parser |
| | | | | | consume high amount... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20843 |
+ +------------------+ + +---------------+---------------------------------------+
Above command downloads and scans the python:3.4-alpine
image from DockerHub. It uses the database cached at /root/.cache
location for vulnerability lookup and identification. The command displays a summarised vulnerability report on your terminal without any vulnerability assessment details in a pretty format.
Trivy performs vulnerability assessment using Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of computer system security vulnerabilities. CVSS provides scores in Base, Temporal and Environmental categories, which are based on a matrix of attributes.
Base Scores measure security vulnerabilities based on their intrinsic characteristics, which are constant across different deployment environments. The other two scores are based on the Base score with time and environmental factors. Please refer to the CVSS specification document to know more about the complete specification.
Trivy can provide CVSS Base category score with individual attribute values using the JSON report format.
$ docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 -f json -o /root/data/out.json python:3.4-alpine
The above specifies the -f json
option to generate vulnerability report for python:3.4-alpine
in JSON format. JSON format contains detailed information and does not provide any summary information, unlike the default tabular format. Furthermore, the command uses the -o /root/data/out.json
option to export the report to a file.
Development teams often need ways to quickly analyze and filter the numerous vulnerabilities. This allows them to prioritize their effort and deliver adequate fixes. The JSON report provides the different attributes which can be used to filter the vulnerabilities.
{
"VulnerabilityID": "CVE-2021-22898",
"PkgName": "curl",
"InstalledVersion": "7.64.0-4+deb10u2",
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-22898"
"Severity": "HIGH",
"CweIDs": [
"CWE-909"
],
## Removed for Brevity
},
Trivy allows you to build ignore policies using OPA format. The policy can be used to discard vulnerabilities based on VulnerabilityID, PkgName, Severity, CweIDs
or any other attribute.
package trivy
default ignore = false
ignore_pkgs := {"bash", "vim", "libbz2"}
ignore_severities := {"LOW", "MEDIUM"}
ignore {
input.PkgName == ignore_pkgs[_]
}
ignore {
input.Severity == ignore_severities[_]
}
ignore {
input.VulnerabilityID == "CVE-2019-8457"
}
ignore {
input.CweIDs[_] == "CWE-125"
}
ignore {
input.PkgName == "libssl1"
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
deny_cwe_ids := { "CWE-119","CWE-476"}
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
Please make a note of the following things in the above configuration :
`package trivy`
imports the required parser for the ignore blocks.ignore
block provides the required conditional checks. All checks in a single ignore block are combined using the AND clause.You can apply the ignore policy using the --ignore-policy
flag.
docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 --ignore-policy /root/data/ignorePolicy1.rego python:3.4-alpine
2021-07-05T12:23:06.734Z INFO Detected OS: alpine
2021-07-05T12:23:06.734Z INFO Detecting Alpine vulnerabilities...
2021-07-05T12:23:06.750Z INFO Number of PL dependency files: 0
2021-07-05T12:23:06.750Z WARN This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T12:23:06.750Z WARN The vulnerability detection may be insufficient because security updates are not provided
python:3.4-alpine (alpine 3.9.2)
================================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 9, CRITICAL: 2)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat | CVE-2018-20843 | HIGH | 2.2.6-r0 | 2.2.7-r0 | expat: large number of |
| | | | | | colons in input makes parser |
| | | | | | consume high amount... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20843 |
+ +------------------+ + +---------------+---------------------------------------+
Let’s correlate the ignore blocks with the above vulnerability report :
With all these ignore rules in place, you are only left with 2 CRITICAL and 9 HIGH severity vulnerabilities.
So far, you have created ignore rules using package-level attributes, but Trivy also allows you to filter vulnerabilities based on the CVSS Base group attributes. The CVSS Base group consists of two subgroups:
You can create ignore policies based on any of the above-discussed attributes. Additionally, you can also use the CVSS score to filter the vulnerabilities.
package trivy
import data.lib.trivy
default ignore = false
nvd_v3_vector = v {
v := input.CVSS.nvd.V3Vector
}
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.AttackVector != "Network"
}
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.PrivilegesRequired == "High"
}
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.UserInteraction == "Required"
}
ignore {
input.CVSS.nvd.V3Score < 5
}
There are a few things to note in the above configuration :
`import data.lib.trivy`
imports the parse_cvss_vector_v3 function used for CVSS attribute parsing.Apply the ignore policy using the --ignore-policy
flag, as done previously.
docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 --ignore-policy /root/data/ignorePolicy2.rego python:3.4-alpine
2021-07-05T08:22:09.956Z INFO Detected OS: alpine
2021-07-05T08:22:09.956Z INFO Detecting Alpine vulnerabilities...
2021-07-05T08:22:09.971Z INFO Number of PL dependency files: 0
2021-07-05T08:22:09.971Z WARN This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T08:22:09.971Z WARN The vulnerability detection may be insufficient because security updates are not provided
python:3.4-alpine (alpine 3.9.2)
================================
Total: 28 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 13, CRITICAL: 4)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat | CVE-2018-20843 | HIGH | 2.2.6-r0 | 2.2.7-r0 | expat: large numbe of |
| | | | | | colons in input makes parser |
| | | | | | consume high amount... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20843 |
+ +------------------+ + +---------------+---------------------------------------+
Let’s correlate the ignore blocks with the above vulnerability report :
With all these ignore rules in place, you are only left with 4 CRITICAL, 13 HIGH, and 11 MEDIUM severity vulnerabilities.
Cloud-native development needs modern ways of enforcing security practices. Image scanning with OPA-based policies can provide vulnerability prioritization for the ever-growing stream of known vulnerabilities. Trivy provides a simple configuration for filtering vulnerability list based on contextual factors. The open-sourced solution can be run in various setups like workstations, client-servers, etc to support varied integration models.
At Magalix, we help companies shift security left by defining, managing, and deploying custom governance policies by leveraging PoC. Our libary of policies can prevent non-secure container images from being deployed. We help implement the right workflows, playbooks, and more using a robust OPA policy execution engine
To learn more, reach out to one of our in-house Kubernetes experts
Self-service developer platform is all about creating a frictionless development process, boosting developer velocity, and increasing developer autonomy. Learn more about self-service platforms and why it’s important.
Explore how you can get started with GitOps using Weave GitOps products: Weave GitOps Core and Weave GitOps Enterprise. Read more.
More and more businesses are adopting GitOps. Learn about the 5 reasons why GitOps is important for businesses.
Implement the proper governance and operational excellence in your Kubernetes clusters.
Comments and Responses