IMCAFS

Home

container safety tools

Posted by tetley at 2020-02-27
all

Anchor engine: mirror scan tool

Official website address

setup script

Installation document

# 环境概述 # 操作系统:Centos7 # Docker版本:18.09.6 # Docker-Compose版本:1.24.0 # 创建目录 mkdir anchore cd anchore # 下载镜像 docker pull docker.io/anchore/anchore-engine:latest # 创建容器 docker create --name ae docker.io/anchore/anchore-engine:latest # 拷贝配置文件 docker cp ae:/docker-compose.yaml docker-compose.yaml # 删除容器 docker rm ae # 启动容器 docker-compose pull docker-compose up -d # 安装anchore-cli curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py python get-pip.py pip install anchorecli anchore-cli --version

Using process

Using documents

# 查看安装状态 anchore-cli --u admin --p foobar system status # 数据库同步状态 anchore-cli --u admin --p foobar system feeds list # 等待同步完成,添加镜像到anchore engine进行分析 anchore-cli --u admin --p foobar image add docker.io/library/nginx:latest # 查看进度 anchore-cli --u admin --p foobar image list # 等待分析完成,查看详情 anchore-cli --u admin --p foobar image get docker.io/library/nginx:latest # 查看漏洞 anchore-cli --u admin --p foobar image vuln docker.io/library/nginx:latest os

Anchor engine account management

Official website address

# 查看用户 anchore-cli --u admin --p foobar account list # 设置密码 anchore-cli --u admin --p foobar account user setpassword New_Password

Anchor engine registration warehouse

anchore-cli --u admin --p foobar registry add registry_name user pass

On the password saving of anchor engine

Anchore API

Official website address

Open the swagger.json file and copy all contents to the swagger online editing tool

Clair: mirror scan tool

Official website address

setup script

Installation document

# 创建目录 mkdir clair cd clair # 下载文件 curl -L https://raw.githubusercontent.com/coreos/clair/master/contrib/compose/docker-compose.yml -o docker-compose.yml # 创建配置文件 mkdir clair_config curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o ./clair_config/config.yaml # 修改配置文件 vim ./clair_config/config.yaml # 注释以下这行 # source: host=localhost port=5432 user=postgres sslmode=disable statement_timeout=60000 # 添加 source: postgresql://postgres:[email protected]:5432?sslmode=disable # 启动 docker-compose pull docker-compose up -d

Client installation

Using process

[online tutorial, using Klar as a client tool]

# 使用clairctl # 在release下载最新版本:1.2.8

Trivy: image scanning tool

Official website address

setup script

Installation document

# 使用rpm直接安装 rpm -ivh trivy_0.0.15_Linux-64bit.rpm

Using process

# 扫描镜像,第一次扫描会很慢,因为需要更新漏洞库 trivy docker.io/library/nginx:latest

Docker bench: container safety baseline detection tool

Official website address

setup script

git clone https://github.com/docker/docker-bench-security.git && cd docker-bench-security bash docker-bench-security.sh

Using process

bash docker-bench-security.sh -h

Docker scan: image scanning tool

Official website address

setup script

pip3 install dockerscan

Using process

dockerscan -h

OpenSCAP

Tool comparison

Recommended: anchor + docker bench combination

Highlight: at present, there is a commercial version of anchor, and the free version is also being updated continuously. It is also very difficult for clients to use the unified version. Similarly, anchor is friendly to gitlab CI or Jenkins.

Reference material

A comprehensive and easy-to-use image vulnerability detection tool: trivy

Clair, a container static security vulnerability scanning tool

Comparison test of docker security automatic scanning tools

29 Docker security tools compared