Enhancing Container Security with NeuVector Registry Scanning

Published in

HangiKredi

5 min readMay 3, 2024

Introduction

Scanning container images and enforcing vulnerability and compliance management are foundational aspects of container security. Here’s why:

Early Detection of Weaknesses: Regular scans identify vulnerabilities (weaknesses) in container images before deployment. This allows developers to fix the problems and prevents attackers from exploiting them.
Reduced Risks: Unpatched vulnerabilities create security gaps that attackers can leverage. Vulnerability management helps close these gaps and reduces the overall risk to your containerized applications.
Compliance with Regulations: Many industries have regulations that require specific security practices. Vulnerability and compliance management ensures your container deployments meet these regulations and regulatory compliance standards like GDPR, NIST, HIPAA, and PCI, and avoid potential penalties.

While manual image scanning offers valuable insights, it becomes impractical for large-scale deployments. Automated image scanning tools address this by streamlining vulnerability assessments and enhancing overall security.

DevSecOps and Automated Scanning Tools

DevSecOps integrates security measures into the early stages of product development, reducing security remediation costs in production and facilitating faster product delivery (Shift Left Approach). Automated tools like Trivy, Aqua Security, Twistlock (now Prisma Cloud), Snyk, and NeuVector seamlessly scan and monitor container images for vulnerabilities, providing developers with prompt feedback and fortifying the overall security posture of containerized applications.

NeuVector: Multi-Layered Container Security

NeuVector offers a comprehensive suite of security features designed to safeguard Kubernetes environments across various stages of the SDLC:

Compliance Scanning: NeuVector’s compliance scanning seamlessly integrates with your pipelines and runtime environment. It compares your Kubernetes setup’s security settings to a standard (CIS Kubernetes Benchmark) and highlights any deviations, helping you meet industry regulations.
Vulnerability Scanning: NeuVector’s vulnerability scanning works seamlessly in your pipelines and during runtime. It detects software vulnerabilities in container images, cluster nodes, or the cluster orchestrator (Kubernetes). NeuVector’s admission controller leverages these scan results to identify and potentially block images with security risks.
Integration with DevOps Tools: NeuVector’s scanning capabilities seamlessly integrate with popular DevOps tools like Jenkins, GitHub Actions, and Azure DevOps. This makes it easy to include security checks throughout your development workflow.

Runtime Security: Zero-Trust and Behavior-Based Policies

NeuVector’s runtime security employs behavior-based zero-trust security policies. These policies remain effective even when vulnerabilities are unidentified or lack patches. Notably, NeuVector holds nine United States Patents for its innovative network-centric network inspection and its ability to enforce network policies in Kubernetes without relying on sidecars, agents, or IPTables manipulation.

Integrating NeuVector with Rancher for Registry Scanning

This section will showcase how to integrate NeuVector with Rancher for registry scanning:

Prerequisites:

A Kubernetes cluster managed by Rancher.

Steps:

Deploy NeuVector: You can easily deploy the NeuVector Helm chart in Rancher using the doc: https://ranchermanager.docs.rancher.com/integrations-in-rancher/neuvector/overview#neuvector-integration-in-rancher

Access the NeuVector Dashboard: Navigate to the cluster explorer of the cluster where NeuVector is installed. In the left navigation bar, click NeuVector. Click the external link to go to the NeuVector UI. Once the link is selected, users must accept the END USER LICENSE AGREEMENT to access the NeuVector UI. If Authentication via Rancher fails, you may use one of the NODE-IP and the NODE-PORT of the NeuVector.

# Get the NeuVector URL by running these commands:
NODE_PORT=$(kubectl get --namespace cattle-neuvector-system -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
NODE_IP=$(kubectl get nodes --namespace cattle-neuvector-system -o jsonpath="{.items[0].status.addresses[0].address}")
echo https://$NODE_IP:$NODE_PORT

Navigate to Assets -> Registries: Locate the “Assets” section and navigate to the “Registries” submenu.

3. Configure Registry Settings: Select the appropriate registry type (e.g., Gitlab Registry) and provide the following details:

Registry Name: Assign a descriptive name for the registry.
Registry URL: Enter the URL of the container image registry.
Username: Provide the username for registry authentication.
Password: Enter the password for registry authentication.
Filter (Optional): Specify a filter to target specific repositories within the registry for scanning. Use (*) to scan all.

4. Test Configuration (Optional): Utilize the “Test Setting” button to verify the configuration and identify any errors.

5. Enable Scanning Options: Configure the desired scanning options:

Rescan after CVE DB update: Regularly update the CVE database to ensure scans detect newly discovered vulnerabilities.
Scan Layers: Enable scanning of all image layers to uncover hidden vulnerabilities.
Periodic Scan (Optional): Schedule periodic registry scans if desired.

6. Initiate Registry Scan: Click the “Start Scan” button to commence the initial scan of the configured registry.

7. Review Scan Results: The details page displays a list of scanned images, along with their corresponding vulnerability counts categorized by severity (high, medium). The overview page highlights the top 5 riskiest images within the registry.

8. Detailed Image Analysis: Click on individual images to access detailed information, including:

Vulnerability Tab: This tab lists all vulnerabilities discovered within the image. If layer scanning was enabled, vulnerabilities by layer are also displayed.
Compliance Tab: This tab showcases compliance information related to the image.
Modules Section: This section identifies vulnerable packages within the image.

9. Generate Reports: NeuVector allows you to download reports for vulnerabilities, compliance, and other security aspects. Reports can be viewed and downloaded from several menus in the NeuVector console. The Dashboard displays a security summary which can be downloaded as a pdf. The pdf download can be filtered for a namespace if desired.

https://open-docs.neuvector.com/reporting/reporting#reporting

Conclusion

Integrating NeuVector with Rancher for registry scanning elevates the security posture of your containerized applications. This comprehensive approach empowers you to proactively mitigate vulnerabilities by identifying security weaknesses within container images (container image vulnerability scanning) before deployment. This enables developers to address these issues promptly, preventing attackers from exploiting them in production environments.

NeuVector also simplifies maintaining compliance with confidence. By ensuring your container deployments adhere to industry regulations and security best practices (Kubernetes CIS compliance scanning), you align with benchmarks like CIS Kubernetes and demonstrate a commitment to robust security, potentially avoiding penalties.

Furthermore, NeuVector streamlines workflows while bolstering security. Its seamless integration with popular DevOps tools allows you to incorporate vulnerability scanning (CI/CD pipeline security) throughout your development lifecycle. This efficient approach strengthens your security posture without hindering development velocity.

Ultimately, NeuVector’s registry scanning empowers informed decisions regarding image deployments, leading to a more secure and compliant containerized environment throughout the SDLC.