Security Scanner Targets Container Image Registries
Lingering vulnerabilities within cloud-native platforms built around Kubernetes orchestrator deployments are spawning new security tools for scanning image registries, among the most vulnerable components of application container infrastructure.
Aqua Security released an open source tool this week for scanning image registries running on Docker and the enterprise version of Mirantis Docker. The security tool also targets Harbor, an open source container image registry project spearheaded by the Cloud Native Computing Foundation (CNCF).
The Boston-based infrastructure security specialist said Monday (March 16) its Trivy scanner released last year has so far attracted what it called a “broad following” on the GitHub collaboration web site. The vendor attributes Trivy’s rapid adoption to its ability to handle both operating system and programming language dependencies. That flexibility is billed as making it easier to integration the scanner into existing software development pipelines.
The vulnerability scanner is available under an Apache Foundation license that allows royalty-free use and distribution.
Concerns about the security of the cluster orchestrator came into sharp relief when a “privilege escalation vulnerability” surfaced in versions 1.0 and higher of the Kubernetes orchestrator along with Red Hat OpenShift container platform.
In response, Docker and others sought to address vulnerabilities with secure image registries based on production deployments of Kubernetes.
Mirantis, which acquired container pioneer Docker’s enterprise platform last fall, said it is integrating Trivy with its trusted image registry running on its Docker platform.
Meanwhile, Trivy is the default image scanner for the latest release of the Harbor open source container image registry. The repository secures images via role-based access controls, then scans images for vulnerabilities and confirms trusted images.
Aqua Security said Trivy is the latest in a series of its open source security projects aimed at cloud native platforms in general and Kubernetes in particular. Among them is kube-bench, used to automatically determine whether the cluster orchestrator is configured according to industry benchmarks.
Others geared toward Kubernetes deployments include: a security test toll called kube-hunter used to screen clusters for vulnerabilities, allowing security teams to fix them before they are exploited; and a tool for simplifying queries about the configuration of role-based access controls.
These and other open source projects aimed to address requirements for real-time responses to security threats rather than attempting to develop fixes on-the-fly. Vendors such as Aqua Security are stressing approaching that allow users of open source software to secure clusters and workloads running across public clouds.
The image scanner initiative also builds on earlier CNCF efforts to secure Kubernetes, including a pilot program of public security audits launched last summer.