Updated post as of May, 2022
Containerized software has become the de facto choice for new development with a recent survey showing that over 80% of organizations claim they will increase container adoption over the next 24 months.
While container adoption can ease the development process and increase velocity, it also has the potential to increase an organization’s attack surface and make it susceptible to vulnerabilities. With developers now using both proprietary and open source components in their container environments, visibility into software containers and their dependencies is paramount to securing Docker images and ultimately avoid data breaches.
An SBOM, or a Software Bill of Materials, is a vital tool for securing the software supply chain. Used by both security and development teams alike, SBOMs provide visibility into all the components in a container image, including both direct and transitive dependencies. They can be used to identify vulnerabilities and risks such as misconfigurations and embedded secrets so teams can quickly locate and remediate issues before they reach runtime and continue to monitor for new vulnerabilities post-deployment.
In this blog post, we’ll show you how you can easily get started generating docker SBOMs and analyzing them for vulnerabilities using the open source projects Syft and Grype, maintained by Anchore.
Shifting Docker Image Security Left
Getting started with comprehensive Docker image security is easy to do with Syft and Grype. These projects are lightweight, flexible, and stateless command line tools for developers that make it possible to generate a Software Bill of Materials (SBOM) from container images and analyze that SBOM for vulnerabilities.
First, you start by running Syft to generate an SBOM to identify all of your components including dependencies, package details, and filesystem metadata plus malware and risks like secrets and misconfigurations. This level of granularity will make sure you are identifying and accurately matching any potential vulnerabilities.
Once that SBOM is generated, it can be fed into Grype which will scan it for vulnerabilities. Re-analyzing images on a regular basis to identify newly discovered vulnerabilities is fast and easy because you only need to generate one SBOM for each version of an image. This is particularly useful in the event of a zero-day, when time is of the essence and you don’t have a minute to spare rescanning your environment from scratch.
Using Syft and Grype for Docker Image Analysis
Generating an SBOM
Step 1: Download & Install Syft
Go to the Syft releases page and download the latest version of Syft or follow installation instructions for your system here.
Step 2: Generate SBOM
Run Syft against your Docker image to output a comprehensive SBOM:
syft <docker image>
You will see an output similar to this:
$ syft debian:10
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [91 packages]
NAME VERSION TYPE
adduser 3.118 deb
apt 1.8.2.3 deb
base-files 10.3+deb10u12 deb
base-passwd 3.5.46 deb
bash 5.0-4 deb
…
Step 3: Save Your SBOM
You can easily generate an SBOM and save it in multiple formats depending on your needs by following the steps outlined here. For this example we’ll use JSON using the -o json
config.
Finding Vulnerabilities
Step 1: Download & Install Grype
Go to the Grype releases page and download the latest version of Grype or follow installation instructions for your system here.
Step 2: Generate a Vulnerability Report
You can pipe an SBOM file directly from Syft into Grype:
syft <yourimage>:tag -o json | grype
Or scan an existing SBOM
Grype sbom:path/to/sbom.json
You will see an output similar to this:
$ grype sbom:./debian_10_SBOM.json
✔ Vulnerability DB [updated]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [91 packages]
✔ Scanned image [137 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
apt 1.8.2.3 deb CVE-2011-3374 Negligible
bash 5.0-4 deb CVE-2019-18276 Negligible
bsdutils 1:2.33.1-0.1 deb CVE-2022-0563 Negligible
bsdutils 1:2.33.1-0.1 (won't fix) deb CVE-2021-37600 Low
coreutils 8.30-3 (won't fix) deb CVE-2016-2781 Low
…
Note: To output the vulnerability report as a file, follow the config options here.
Grype uses multiple vulnerability data sources to optimize vulnerability matching and reduce noise from false positives so that developers don’t waste as much time when fixing vulnerabilities in their Docker images.
Docker Image Security at Scale
While conducting scans of Docker images is quick and easy, automating such scans and implementing Docker image security best practices at scale across multiple teams and applications requires an enterprise-level solution that goes beyond what Syft and Grype provide. Anchore Enterprise adds powerful functionality to the intuitive features of Syft and Grype. With features such as SBOM Management, policy and compliance controls and global reporting and notifications, Anchore Enterprise helps organizations secure their entire software supply chain.
Conclusion
It is critically important for developers to know exactly what is inside a software container before using it and to enforce company-wide policy and compliance regulations throughout the build process. Using simple image analysis tools, like Syft and Grype are a great way to get up and running quickly and easily with Docker image security before graduating to an enterprise level, overall software supply chain management solution like Anchore Enterprise. By using Anchore, you can know more about the building blocks used in your applications and prepare for the ever growing industry best practices that are quickly becoming standards and mandates.