Containers: Securing Your Software Supply Chain
In today’s container ecosystem it’s hard to imagine an organisation that doesn’t depend on prebuilt base images, so unfortunately this makes you beholden to the software supply chain of all parts of it’s software.
What is a Software Supply Chain
A software supply chain refers to the process of creating and distributing software, imagine you have a software application that you want to run on a cloud platform. Instead of installing the application directly on a single instance of compute, you package it inside a special vessel called a container image. This container image includes not only the application code but also all the necessary dependencies, libraries, and configurations it needs to run smoothly.
Now, the container image needs to go through various stages before it can be deployed and used on the cloud. These stages are part of the software supply chain.
First, the developers write the code for the application and create a container image. They use tools and technologies specifically designed for building and packaging software in containers. These tools ensure that all the required components are included in the container image and that it is OCI compliant.
Next, it’s common to have some testing framework to validate that the application is doing what is expected of it, possibly testing several failure modes as well. The testing phase is crucial for ensuring the quality and reliability of the software.
Once the container image is built and has successfully passed the testing phase, it is stored in a container registry. A container registry is like a specialised database or repository for storing container images. It acts as a central hub where developers | operations teams can pull container images for use in their orchestration tool of choice.
Throughout the entire software supply chain, security and integrity are critical considerations. Container images can be vulnerable to security risks or tampering. To address this, various security measures are implemented, such as scanning the container image for known vulnerabilities and digitally signing the image to verify its authenticity.
Vulnerability Scanning
In the Certified Kubernetes Security Specialist (CKS) exam syllabus a tool called Trivy (by AquaSecurity) is covered. Trivy is a powerful tool which is capable of more than just container vulnerability scanning and I would certainly recommend reading through the documentation to see how else it could benefit your security posture, however I’m going to focus on container image scanning.
Trivy can be installed using your systems package manager, as a binary from GitHub Releases, via an install script or executed as a docker container. The basics of using Trivy are as simple as:
trivy image <image name>This will download the CVE database then report the findings to STDOUT of your terminal window. While this is useful it would take considerable man hours if you were supporting varying workloads, thankfully Trivy is feature rich in this area.
To make best use this tooling, it would make sense to utilise it within a CI/CD pipeline when you are building your container images. There is a GitHub Action available to run a Trivy scan (linked at the bottom), However if you wanted to build something yourself, some flags that I find useful are:
--exit-code <integer>
--ignore-unfixed
--severity <string>(UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)
--format <string> (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default table)
--template <string> (Trivy provide a handy HTML template)
--output <string>
Combining these flags would produce a command such as
trivy image --exit-code 1 --ignore-unfixed --severity CRITICAL --format template --template @./html.tpl --output report.html nginx:latestThis command will scan the provided container image, any vulnerabilities that don’t yet have a fix will be omitted, exit if there are any vulnerabilities greater than CRITICAL with an error code of 1 and then produce a HTML report from the provided template, which will look similar to this:
Whether you are using Jenkins, GitLab CI, Github Actions or another CI/CD tool this approach could be adopted to build a strong software supply chain security posture. This then enhances security assurance, mitigates risks, ensures compliance, addresses third-party dependencies, and supports continuous security practices. It helps organizations deliver more secure and reliable software applications while maintaining the integrity of the entire software supply chain.
Summary
Within the context of cloud technology, a software supply chain for container images refers to the process of creating, testing, storing, and deploying containerised software applications. It involves specialised tools, testing procedures, container registries, and orchestration tools, all while ensuring the security and reliability of the software.
