Secure your container image deployments

OCI Container Image Scanning, Signing, and Verification

Mickey Boxell
Aug 26 · 3 min read

Introduction

Oracle Cloud Infrastructure (OCI) supports container image Scanning, Scanning, and Verification. This suite of capabilities will help you ensure the security of your cloud-native software deployments.

Imagine a software development team working to deliver a business-critical application that passes sensitive data. A developer commits code to a continuous integration and continuous delivery (CI/CD) tool kicking off a build process. Then, the CI/CD tool pushes the newly built container image to an Oracle Cloud Infrastructure Registry (OCIR) repository and when ready, the new image is deployed to a production OCI Container Engine for Kubernetes (OKE) cluster.

While this sounds like a reasonable CI/CD process, it is missing few key steps. Critical to shipping compliant and secure containers, system administrators need to be able to ensure container images:

  • Are free of known critical vulnerabilities that can either cause an accidental system failure or result in malicious activity.

OCI Container Image Scanning, Signing, and Verification address all three of these secure container deployment needs.

Scanning images

OCI Registry enables users or systems to push container images to repositories. You can now enable scanning of container images stored in OCI Registry for security vulnerabilities published in the publicly available Common Vulnerabilities and Exposures (CVE) database. Once repository scanning is enabled, the OCI Vulnerability Scanning service will scan any images you push into the repository and images that are already present. Repositories with scanning enabled will be automatically rescanned when new vulnerabilities are added to the list of threats. For every scanned image, you can view the scan results, the risk level for each scan, and the description of each vulnerability, along with the link to the CVE database.

Signing and verifying images

To ensure images are not modified after being pushed, you can now sign an image in OCI Registry using master encryption keys stored in OCI Vault. You can view signatures and verify the image signatures have not changed, ensuring the integrity of the image has not been compromised.

Finally, you can configure OCI Container Engine for Kubernetes with a cluster-specific policy to allow only container images in OCI Registry that have been signed by particular master encryption key to be deployed to a cluster. Images without the correct signature will be denied.

Bringing it all together

With all of these tools working together, users or systems can be confident that only resilient images from a trusted source are deployed to their mission-critical Kubernetes clusters. Imagine the previously mentioned software development team adopts OCI Container Image Scanning, Signing, and Verification. Once a developer commits code a build process is kicked off and their CI/CD tool pushes the newly built container image to an OCIR repository with scanning enabled:

  • OCI Vulnerability Scanning service scans the image upon ingestion.

Want to know more?

To learn more or get hands-on, use the following resources:

Originally published on blogs.oracle.com

Oracle Developers

A community for developers by developers.

Oracle Developers

Aggregation of articles from Oracle engineers, Groundbreaker Ambassadors, Oracle ACEs, and Java Champions on all things Oracle technology. The views expressed are those of the authors and not necessarily of Oracle.

Mickey Boxell

Written by

Product Manager — OCI Container Engine for Kubernetes (OKE)

Oracle Developers

Aggregation of articles from Oracle engineers, Groundbreaker Ambassadors, Oracle ACEs, and Java Champions on all things Oracle technology. The views expressed are those of the authors and not necessarily of Oracle.