Container Security Tool – Aqua

Container Security Tool – Aqua Security’s MicroScanner lets you check your container images for vulnerabilities. If your image has any known high-severity issue, MicroScanner can fail the image build, making it easy to include as a step in your CI/CD pipeline.

Container Security Tool – Aqua provides end-to-end security for applications running on Docker Enterprise Edition or Community Edition, protecting the DevOps pipeline and production workloads in runtime with full visibility and control.

With Aqua, you can protect your Docker applications running on either Linux (docker or container runtimes) or Windows, with powerful image assurance, container immutability, and least-privilege enforcement, and container firewall.

Advantages of Aqua Container Scanner :

1. Integrate security controls into your DevOps pipeline.
2. Protect Docker applications at runtime, in real-time.
3. Apply enterprise-grade security to your Docker environment.
4. Continuous Image Assurance.
5. Runtime Security for Docker.
6. Secrets Management.
7. Docker CIS Benchmark Validation.
8. Container Firewall for Docker.
9. Granular Security Events Auditing.

How to register for the Aqua Container security token :

Login to the URL and then fill up the details on the page and then we will be getting an email and when we click on it we will get the full details like shown below :

https://microscanner.aquasec.com/signup

Adding micro scanner to your Dockerfile:

1. To use MicroScanner you’ll first need to register for a token.

$ docker run --rm -it aquasec/microscanner --register <email address>

2. Adding microscanner to your Dockerfile

The following lines add microscanner to a Dockerfile, and execute it.

ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
RUN /microscanner <TOKEN> [--continue-on-failure]

3. You may also need to add ca-certificates to the image if they are not already built into the parent image, or added in your Dockerfile so that micro scanner can make an HTTPS connection. For example (Debian):

RUN apt-get update && apt-get -y install ca-certificates

or (Alpine):

RUN apk add --no-cache ca-certificates && update-ca-certificates

4. Example Dockerfile

FROM debian:jessie-slim
RUN apt-get update && apt-get -y install ca-certificates
ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
ARG token
RUN /microscanner ${token}
RUN echo "No vulnerabilities!"

Pass the token obtained on registration in at build time.

$ docker build --build-arg=token=<TOKEN> --no-cache .RUN apk add --no-cache ca-certificates && update-ca-certificates && \
    wget -O /microscanner https://get.aquasec.com/microscanner && \
    chmod +x /microscanner && \
    /microscanner <token> && \
    rm -rf /microscanner

Demo on the Aqua Container Scanning:

1. Once after we register and then get the token from the Aqua team, we need to include that in our Dockerfile.
2. Below is the sample Dockerfile before the addition of the Aqua token.

3. When we build this image we will get the image created such as below , we use this command to do it.

docker build -t <imagename> <location of the Dockerfile>

4. To run the docker image to see the output we need to port map it as the internal port of the image is tagged to the port 80 and the outer port we need to map it to the port which is available as 8090 or 8080 depending upon the free port available on the machine.

5. Now we can include the Aqua container scanner API key from the email which we received above.

6. When we build this image we will get the image created such as below , we use this command to do it.

docker build -t <imagename> <location of the Dockerfile>

7. If we see the above the docker image while building it scans the complete image and then if tell us how many vulnerabilities are there and we can even define a condition that if there are any high vulnerability we can avoid to check-in the image into the registry.

8. To run the docker image to see the output we need to port map it as the internal port of the image is tagged to the port 80 and the outer port we need to map it to the port which is available as 8090 or 8080 depending upon the free port available on the machine.

If we see the above, we are getting the same output as the before one, but this time the image that you are using is the SCANNED one, and if we find any faults we can remove it before even it comes to our section. That’s the advantage of this container security.

Recommended Courses