An Open-Source Tool For Security Scans Of Container Images — Vilicus

What is Vilicus?

• ;
•  in your GitHub workflows;
•  in your GitLab CI/CD pipelines;
• ;

Why do scan for vulnerabilities?

A recent  of around 4 million Docker Hub images by cyber security firm Prevasio found that 51% of the images had exploitable vulnerabilities. A large number of these were cryptocurrency miners, both open and hidden, and 6,432 of the images had malware.

Docker image security scanning is a process for finding security vulnerabilities within your Docker image files.

Typically, image scanning works by parsing through the packages or other dependencies that are defined in a container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies.

How does it work?

Architecture

Cached Database

Vilicus updates daily the vendor databases with the latest changes in the vulns DBs.

Using a strategy to storage the database data in layers of docker images, the whole platform is ready to use in minutes instead of hours. Starting the sync feed with vulns from scratch can take at least 6 hours.

Do you want to know more about this strategy? Read

Local Registry

docker build -t localhost:5000/local-image:my-tag .

curl -o docker-compose.yml //raw.githubusercontent.com/edersonbrilhante/vilicus/main/deployments/docker-compose.yml

docker-compose up -d

IMAGE=localregistry.vilicus.svc:5000/local-image:my-tag

docker run -v ${PWD}/artifacts:/artifacts \
  --network container:vilicus \
  vilicus/vilicus:latest \
  sh -c "dockerize -wait //vilicus:8080/healthz -wait-retry-interval 60s -timeout 2000s vilicus-client -p /opt/vilicus/configs/conf.yaml -i ${IMAGE}  -t /opt/vilicus/contrib/sarif.tpl -o /artifacts/results.sarif"

GitHub Action

GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want -

Container scanning

A scan can be done using a remote image and a local image. Using a remote repository such as docker.io the image will be docker.io/your-organization/image:tag:

- name: Scan image
    uses: edersonbrilhante/vilicus-github-action@main
    with:
      image: "docker.io/myorganization/myimage:tag"

And to use a local image its need to tag as localhost:5000/image:tag:

  - name: Scan image
    uses: edersonbrilhante/vilicus-github-action@main
    with:
      image: "localhost:5000/myimage:tag"

Full example

name: Container Image CI
on: [push]
jobs:
  build
    runs-on: ubuntu-latest
    steps:
      - name: Maximize Build Space
        uses: easimon/maximize-build-space@master
        with:
          root-reserve-mb: 512
          swap-size-mb: 1024
          remove-dotnet: 'true'
          remove-android: 'true'
          remove-haskell: 'true'
      - name: Checkout branch
        uses: actions/checkout@v2
      - name: Build the Container image
        run: docker build -t localhost:5000/local-image:${GITHUB_SHA} .
      - name: Vilicus Scan
        uses: edersonbrilhante/vilicus-github-action@main
        with:
          image: localhost:5000/local-image:${{ github.sha }}
      - name: Upload results to github security
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: artifacts/results.sarif

Results in GitHub Security:

 using Vilicus GitHub Action

Pipeline example:

List with all vulns found:

Vuln details:

GitLab CI Template

Linux shared runners

All your CI/CD jobs run on  with 3.75GB of RAM, CoreOS and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of HDD disk space. -

GitHub Action maximize-build-space

When removing software, consider that the removal of large amounts of files (which this is) can take minutes to complete. On the upside, you'll get more than 60 GB of disk space available if you actually need it. -

How to use in .gitlab-ci.yml:

include:
  - remote: //raw.githubusercontent.com/edersonbrilhante/vilicus-gitlab/main/Vilicus.gitlab-ci.yml  

scan:
  extends: .vilicus
  variables:
    IMAGE: <image>
  tags:
    - <your runner>

Vulnerabilities imported in GitLab Security Tab:

Free Online Service

Vilicus also provides a free online service.

This service is a serverless full-stack application with backend workers and database only using git and ci/cd runners.

The Frontend is hosted in GitHub Pages. This frontend is a landing page with a free service to scan or display the vulnerabilities in container images.

The results of container image scans are stored in a GitLab Repository.

When the user asks to show the results from an image, the frontend consumes the GitLab API to retrieve the file with vulns from this image. In case this image is not scanned yet, the user has the option to schedule a scan using a google form.

When this form is filled, the data is sent to a Google Spreadsheet.

A GitHub Workflow runs every 5 minutes to check if there are new answers in this Spreadsheet. For each new image in the Spreadsheet, this workflow triggers another Workflow to scan the image and save the result in the GitLab Repository.

Displaying an image already scanned by the service

Scheduling a new scan:

Source Code

• (for GitLab and GitHub)

That’s it!

Also published at