Analysis / Research /

TNS Research: A Scan of the Container Vulnerability Scanner Landscape

5 Aug 2016 10:02am, by

The story has been updated since original publication. Black Duck Hub was added to the table on August 24, 2016.

Container registries and vulnerability scanners are often bundled together, but they are not the same thing. Code scanning may occur at multiple points in a container deployment workflow. Some scanners will be bundled with existing solutions, while others are point solutions. There differences can be measured by the data sources they use, what is being checked, and the actions are automatically taken as the result of a scan.

Scanners review artifacts based on a certain set of criteria, such as policies or the inclusion of specific code. For the purposes of this article, we focus just on scanning for vulnerabilities in both applications and container images. Scans of applications can determine if they were built using widely tested packages coming from popular repositories. Scanning images can also review applications, but in addition it looks for vulnerabilities due to the unique deployment environments they were built for.

Some container registries are constantly scanned for vulnerabilities with a bundled technology. For example, CoreOS’s Clair scans Quay.ioDocker Security Scanning works with Docker Trusted Registry and Red Hat has built a new scanner in Project Atomic for its Atomic Registry. Although Docker Store is still in beta, it promises to offer for sale images that are scanned and approved by the company. Flawcheck Private Registry has a custom scanner built into its product. These registries promise “secure” container images for developers to deploy their code.

Other scanners are such as Aqua Peekr, Anchore, and Twistlock Trust work independently of specific registries, which may be valuable if you are utilizing container images from multiple different sources. These solutions can be connected directly to multiple parts of build/deploy pipelines. The workflow in the following graphic from Anchore shows a developer building an application on top of a publicly available image, and then analyzing and certifying the newly built image. The image then goes back into CI/CD workflow for testing.

Anchore’s scanner is used again before the the application is deployed. At this stage in the process the image goes through the same security scanning, but more importantly, it is being evaluated to determine if and how it will be deployed into production. By this time, security and operations teams have already created policies that regulate what containers are kosher and what types of resources they are allowed to utilize.

The image from Anchore’s site shows how it can fit into a CI/CD workflow.

We have included below twelve examples container vulnerability scanning solutions. This list purposefully excludes tools that scan and manage applications packages and repositories. As described in this CloudMunch article, there is an argument that DevOps should think of its process through a build-driven instead of an image-driven. Fred Simon, JFrog’s chief technology officer made this argument by saying, “You don’t distribute an application anymore, you distribute the full stack.” If this angle is taken, then inspection tools from JFrog or Sonatype would come into the discussion.

Container Vulnerability Scanning

Project Company/Sponsor Project Description
Anchore Anchore A set of tools to provide visibility, transparency, and control of your container environment. It consists of two parts: a web service hosted by Anchore, and a set of open source command-line query tools. The hosted service selects and analyzes popular container images from DockerHub and other sources, and provides this metadata as a service to the on-premise command-line tools.
Aqua Container Security Platform Aqua Security Software Provides a scalable security solution that protects containerized applications against internal and external threats.
Aqua Peekr Aqua Security Software Free scanner of container images across different types of registries.
BanyanOps BanyanOps The company has yet to launch its product, which will focus on analyzing images. analyzing images and wants to accelerate IT operations with containers.
Hub Black Duck Utilizing Black Duck’s Knowledgebase, Hub can be used to identify, manage and monitor container security.
Clair CoreOS A container vulnerability analysis service providing static analysis of vulnerabilities in appc and docker containers.
Docker Cloud Docker A SaaS service for deploying and managing Dockerized applications. Docker Cloud includes Docker Security Scanning, which reviews images in private repositories to verify that they are free from known security vulnerabilities or exposures, and report the results of the scan for each image tag. Docker Trusted Registry is included in the subscription.
Docker Store Docker A place to find trusted commercial and free software distributed as Docker images. All Docker Official Images and Store Curated content goes through Docker Security Scanning.
FlawCheck Private Registry FlawCheck A cloud-hosted container registry that hosts Docker containers. It scans containers for vulnerabilities and malware. It is also available in an on-premise version.
Vulnerability Advisor IBM Vulnerability Advisory is a capability of IBM Containers on Bluemix. It gives container developers a view into their image security properties and as well as guidance on how images should be improved to meet common sense best practices and upgrade to known industry fixes. Using Vulnerability Advisor, developers can design secure applications with very little effort.
Atomic Scan Red Hat The atomic scan function can be used instead of OpenSCAP, which is Project Atomic’s default vulnerability scanner.
OpenSCAP Red Hat The OpenSCAP Base is both a library and a command line tool which can be used to parse and evaluate each component of the SCAP (Security Content Automation Protocol) standard for describing system configurations and security management policies. OpenSCAP also includes a GUI and tool allowing users to perform configuration and vulnerability scans on a single local or a remote system.
Twistlock Trust Twistlock Scans images and registries to detect vulnerabilities in the code as well as configuration errors. It gives security teams a centralized location to configure and monitor security rules across multiple container clusters.

Scanners can be created relatively easily. Most scan against the same data. Red Hat has OpenSCAP, which is a compilation of tools to scan for vulnerabilities. It provides value in that it is curated and organized well. Yet, when Red Hat developers wanted to scan containers in Project Atomic, they created their own custom scanner. While this is valuable, it by itself is not enough to support a viable business model.

Software companies that focus on container security will monetize vulnerability scanning in one of several ways. One approach is bundling scanning with container registries. It is also possible they will bundle scanning and analysis capabilities into products that manage the larger CI/CD deployment pipelines. Focusing on policy management is a third method that has much promise because enterprises have a history of paying for it. How policy management tools are implemented and what type of automation they enable will be the topic of future writing. In the meantime, here are some more companies that working on using policies to enhance container security:

The New Stack has deep coverage of container vulnerability scanning. Look forward to reading more in the upcoming fourth installment of our ebook series.

CoreOS,  Docker, IBM, Mesosphere, and Red Hat are sponsors of The New Stack.

Feature Image via Pixabay.


A digest of the week’s most important stories & analyses.

View / Add Comments