Vilicus — A overseer for security scanning of container images

Vilicus is an open-source tool that orchestrates security scans of container images(Docker/OCI) and centralizes all results into a database for further analysis and metrics.

Why scan for vulnerabilities?

A recent analysis of around 4 mi…


This content originally appeared on DEV Community and was authored by Ederson Brilhante

Vilicus is an open-source tool that orchestrates security scans of container images(Docker/OCI) and centralizes all results into a database for further analysis and metrics.

Why scan for vulnerabilities?

A recent analysis of around 4 million Docker Hub images by cyber security firm Prevasio found that 51% of the images had exploitable vulnerabilities. A large number of these were cryptocurrency miners, both open and hidden, and 6,432 of the images had malware.
https://www.infoq.com/news/2020/12/dockerhub-image-vulnerabilities/

Image from https://prevasio.com/static/web/viewer.html?file=/static/Red_Kangaroo.pdfImage from https://prevasio.com/static/web/viewer.html?file=/static/Red_Kangaroo.pdf

Docker image security scanning is a process for finding security vulnerabilities within your Docker image files.
Typically, image scanning works by parsing through the packages or other dependencies that are defined in a container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies.
https://resources.whitesourcesoftware.com/blog-whitesource/docker-image-security-scanning

How does it work?

There are many tools to scan container images for vulnerabilities such as Anchore, Clair, and Trivy. But sometimes the results from the same image can be different. And this project comes to help the developers to improve the quality of their container images by finding vulnerabilities and thus addressing them with agnostic sight from vendors.

Some articles comparing the scanning tools:

Architecture

Cached Database

Vilicus updates daily the vendor databases with the latest changes in the vulns DBs.

Using a strategy to storage the database data in layers of docker images, the whole platform is ready to use in minutes instead of hours. Starting the sync feed with vulns from scratch can take at least 6 hours.

Check the strategy used in Anchore, Clair and Trivy

Local Registry

Vilicus provides a local registry, so you can build a local image and scanning it without pushing it to a remote repository.

docker build -t localhost:5000/local-image:my-tag .

curl -o docker-compose.yml https://raw.githubusercontent.com/edersonbrilhante/vilicus/main/deployments/docker-compose.yml

docker-compose up -d

IMAGE=localregistry.vilicus.svc:5000/local-image:my-tag

docker run -v ${PWD}/artifacts:/artifacts \
  --network container:vilicus \
  vilicus/vilicus:latest \
  sh -c "dockerize -wait http://vilicus:8080/healthz -wait-retry-interval 60s -timeout 2000s vilicus-client -p /opt/vilicus/configs/conf.yaml -i ${IMAGE}  -t /opt/vilicus/contrib/sarif.tpl -o /artifacts/results.sarif"

GitHub Action

GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
https://github.com/features/actions

Vilicus provides a GitHub action to help you scanning container images in your CI/CD.

Container scanning

A scan can be done using a remote image and a local image. Using a remote repository such as docker.io the image will be docker.io/your-organization/image:tag:

  - name: Scan image
    uses: edersonbrilhante/vilicus-github-action@main
    with:
      image: "docker.io/myorganization/myimage:tag"

And to use a local image its need to tag as localhost:5000/image:tag:

  - name: Scan image
    uses: edersonbrilhante/vilicus-github-action@main
    with:
      image: "localhost:5000/myimage:tag"

Full example

Complete example with steps for cleaning space, building local image, Vilicus scanning, and uploading results to GitHub Security

name: Container Image CI
on: [push]
jobs:
  build
    runs-on: ubuntu-latest
    steps:
      - name: Maximize Build Space
        uses: easimon/maximize-build-space@master
        with:
          root-reserve-mb: 512
          swap-size-mb: 1024
          remove-dotnet: 'true'
          remove-android: 'true'
          remove-haskell: 'true'
      - name: Checkout branch
        uses: actions/checkout@v2
      - name: Build the Container image
        run: docker build -t localhost:5000/local-image:${GITHUB_SHA} .
      - name: Vilicus Scan
        uses: edersonbrilhante/vilicus-github-action@main
        with:
          image: localhost:5000/local-image:${{ github.sha }}
      - name: Upload results to github security
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: artifacts/results.sarif

Results in GitHub Security

Check an example using Vilicus GitHub Action

Pipeline examplePipeline example

List with all vulns foundList with all vulns found

Vuln detailsVuln details

Source Code

VIlicus GitHub Action

Vilicus

That’s it!

In case you have any questions, please leave a comment here or ping me on ? LinkedIn.


This content originally appeared on DEV Community and was authored by Ederson Brilhante


Print Share Comment Cite Upload Translate Updates
APA

Ederson Brilhante | Sciencx (2021-03-31T20:19:18+00:00) Vilicus — A overseer for security scanning of container images. Retrieved from https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/

MLA
" » Vilicus — A overseer for security scanning of container images." Ederson Brilhante | Sciencx - Wednesday March 31, 2021, https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/
HARVARD
Ederson Brilhante | Sciencx Wednesday March 31, 2021 » Vilicus — A overseer for security scanning of container images., viewed ,<https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/>
VANCOUVER
Ederson Brilhante | Sciencx - » Vilicus — A overseer for security scanning of container images. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/
CHICAGO
" » Vilicus — A overseer for security scanning of container images." Ederson Brilhante | Sciencx - Accessed . https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/
IEEE
" » Vilicus — A overseer for security scanning of container images." Ederson Brilhante | Sciencx [Online]. Available: https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/. [Accessed: ]
rf:citation
» Vilicus — A overseer for security scanning of container images | Ederson Brilhante | Sciencx | https://www.scien.cx/2021/03/31/vilicus-a-overseer-for-security-scanning-of-container-images/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.