In a containerized devops lifecycle, a registry such as JFrog Artifactory provides a central location to store images prior to deployment. At Twistlock, we work with hundreds of cloud native customers and many, of them use Artifactory for its enterprise-grade integrations and workflow capabilities. By scanning these images and reporting on them, Twistlock enables you to see the status of images that are ready to run and to provide developers with direct feedback on problems before they are deployed.

A typical lifecycle

In this case, I’m using a simply “Hello, World!” node.js image as an example. I’m building this image in Jenkins and, once it has passed a test cycle, pushing it to my Artifactory registry:

From here, I could use any number of strategies from a simple “docker pull” to creating a Kubernetes YAML file to deploy this image to my Docker nodes; however, before I do that, I want to understand the risk associated with this image.

Registry scanning

In order to do so, I configure Twistlock to scan my Artifactory registry. Twistlock provides a direct Artifactory integration through a simple configuration window. scans my hellonode image to show me detailed vulnerability information:

At a glance, I can see a number of serious vulnerabilities in the OS, Node.js, and Python packages included in this image. Additionally, I can dig into the image, layer by layer, to identify where I’ve introduced specific vulnerabilities:

This data is also available via syslog so that, from a security operations perspective, I can integrate it:

May  9 16:47:56 neilcar Twistlock-Console[19]: time="2018-05-09T16:47:56.503961762Z" type="registry_scan" log_type="vulnerability" vulnerability_id="49" description="Image contains vulnerable Node.js components" cve="NODE-SECURITY-606" severity="high" package="sshpk" rule="Default - alert all components" host="neilcar.c.cto-sandbox.internal" image_id="sha256:962a0a28e1ab53d40871922dc95b937483690721527fa95d327b2d0fa240d0f2" image_name="http://neilcar-artifactory.lab.twistlock.com:80/docker/hellonode:latest"
May  9 16:47:56 neilcar Twistlock-Console[19]: time="2018-05-09T16:47:56.503974793Z" type="registry_scan" log_type="vulnerability" vulnerability_id="49" description="Image contains vulnerable Node.js components" cve="NODE-SECURITY-572" severity="low" package="is-my-json-valid" rule="Default - alert all components" host="neilcar.c.cto-sandbox.internal" image_id="sha256:962a0a28e1ab53d40871922dc95b937483690721527fa95d327b2d0fa240d0f2" image_name="http://neilcar-artifactory.lab.twistlock.com:80/docker/hellonode:latest"
May  9 16:47:56 neilcar Twistlock-Console[19]: time="2018-05-09T16:47:56.503991652Z" type="registry_scan" log_type="vulnerability" vulnerability_id="410" description="Image contains vulnerable Python components" cve="CVE-2017-9462" severity="high" package="mercurial" rule="Default - alert all components" host="neilcar.c.cto-sandbox.internal" image_id="sha256:962a0a28e1ab53d40871922dc95b937483690721527fa95d327b2d0fa240d0f2" image_name="http://neilcar-artifactory.lab.twistlock.com:80/docker/hellonode:latest"

Summary

When using a modern Docker registry such as Artifactory in your devops workflow, Twistlock allows you to quickly assess and respond to the risk of unresolved vulnerabilities in the images being shipped.

← Back to All Posts Next Post →