⚖️ Bench (and choose) Java-8 docker images with anchore/grype

adriens - Apr 25 '22 - - Dev Community

🛡️ Context : security 🐳

We recently started to put grype and Anchore Container Scan in our (GH based) CI pipeline.

In the mean time, we started to spread container security culture accross Dev & OPS teams, especially around grype tooling (which is very easy to handle).

Now ...

all the people who produce and release docker images have grype installed on their workstation... hence helps promote shiftleft culture

Next to that we wanted to automate, monitor and alert on security issues so we'll be able to run a proper maintenance pipeline by linking issues to code actions.

🛤️ Action

Finally we created the following scheduled workflows to monitor our stable and latest tags (the ones we deploy)... and be noticed when they fail according to

Image description

📉 Issue management & kanban

We wanted to be noticed and embed security concerns into our project planning : we needed to get alerts as issues :

Image description

Also, thanks to custom and shared labels accross our organization, it is possible to report these issues globally.

Image description

Image description

Now we get all the required details within the (self updating) issue so we can assign it, investigate, link it to other tasks, assign it to a SCRUM and so many other things.

Image description

🚨 Then the real world came to us

For now, we have set the workflow to fail as soon as a Critical level has been reached... and here is what we got on one of our projects :

Image description

These issues were affecting our core java image that was relying on : openjdk:8-alpine.

Then here is what we got 😱 👇

Image description

So I started to count them :

grype openjdk:8-alpine | grep Critical | wc -l
grype openjdk:8-alpine | grep High | wc -l
Enter fullscreen mode Exit fullscreen mode

Then, with that methodology I could very quickly build the following benchmark :

Image Critical High Medium Low Negligible
openjdk:8-alpine 10 55 110 142 0
openjdk:8u102 6 234 685 140 232
adoptopenjdk/openjdk8 0 0 8 21 7
adoptopenjdk/openjdk8:alpine-jre 0 0 0 0 0

❇️ Jaw dropping adoptopenjdk/openjdk8:alpine-jre

Image description

👉 Finally we started to migrate our core java layer from openjdk:8-alpine to adoptopenjdk/openjdk8:alpine-jre

Image description

☝️ Be aware that if under certain circumstances vulnerabilities should be considered as acceptable, it is possible to create a configuration file to ignore certain matches :

Image description

☝️ Conclusion

Thanks to continuous scan and proper alerting we could seriously enhance our core Java runtime for legacy source code that only supports java 8 runtime,

we could switch from a runtime with 10 Critical issues to a runtime with 21 Low security issues.

It is possible to generate SARIF vulnerability report so it can be displayed :

Image description

... delivered to other systems.

See more details about SARIF support in grype :

Add SARIF report output #304

What would you like to be added:

I see https://github.com/anchore/scan-action supports a SARIF report. However, instead of using the grype --template option, it creates it in the code.

Is there any plan to create a template for use by grype?

Why is this needed:

Being able to create a SARIF report no mater how you use grype.

Additional context:

</div>
<div class="gh-btn-container"><a class="gh-btn" href="https://github.com/anchore/grype/issues/304">View on GitHub</a></div>
Enter fullscreen mode Exit fullscreen mode


🌌 Further

🔭 Organisation wide strategy

Finally many strategies are possible :

  • Per-repo strategy : each repo is reponsible of its own monitoring with CI
  • Per-org single repo strategy : within a single repo, monitor all published images with CI
  • Global & ready-to-use Container Registry Scanning by anchore for policy enforcement, security insights

Image description

Image description

See global solution below :
Image description

Each of these approaches has its pros and cons,... just pick (or create) your own solution to achieve this goal.

👀 Remarkable grype issues

Find below some issues :

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .