How do I scan container images with cnspec

[chris-rock]

I have a container image and want to scan it. What options do I have and do I need docker as a runtime?

[chris-rock]

cnspec offers two diferent ways to scan container images:

• cnspec vuln runs only the vulnerability check
• cnspec scan runs the vulnerability check and security policies

The following examples use the cnspec vuln command to illustrate how it works best. For bettter security coverage we recommmend using cnspec scan. The arguments are the same for both commands so it is easy to switch between both.

cnspec can scan multiple targets. For container images we have different scenarios:

1. scan a container image store in Docker Engine
2. scan a container image in tar format without any container runtime like docker
3. scan a contaienr image store in a Container Registry like ECR, ACR or GCP Artefact Registry

Especially 1.) and 2.) are interessting when you want to scan a container before you want to publish it to a container registry. This helps you to prevent publishing vulnerable images and stop the pipeline before.

Docker Engine

cnspec has full support for Docker Engine. All credentials available to the docker command are also automatically used by cnspec. To scan a debian:11 image, just run the following:

docker pull debian:11
cnspec scan docker debian:11

When the image is does not include any advisories, the output looks like:

$ cnspec vuln docker debian:11
Target:     debian:11@14e29f082305
====================================

┌─ Packages ───────────────────────────┐
│ Total:    ███████████████████ 96     │
│ Critical: 0                          │
│ High:     0                          │
│ Medium:   0                          │
│ Low:      0                          │
└──────────────────────────────────────┘

■ No advisories found (passed)

If the container image include advisories, the output looks like:

$ cnspec vuln docker debian:10
Target:     debian:10@edcf96f9d9d9
====================================

┌─ Advisories ─────────────────────────┐
│ Critical: ███ 11.8%                  │
│ High:     ███████████ 41.2%          │
│ Medium:   ████ 17.6%                 │
│ Low:      0.0%                       │
│ None:     ████████ 29.4%             │
└──────────────────────────────────────┘

┌─ Packages ───────────────────────────┐
│ Total:    ███████████████████ 91     │
│ Critical: ████ 2                     │
│ High:     ███████████████████ 8      │
│ Medium:   ███████████ 5              │
│ Low:      0                          │
└──────────────────────────────────────┘

  ■  SCORE  PACKAGE       INSTALLED               FIXED                    AVAILABLE                
  ■  9.8    zlib1g        1:1.2.11.dfsg-1         1:1.2.11.dfsg-1+deb10u2  1:1.2.11.dfsg-1+deb10u1  
  ■  9.1    libtasn1-6    4.13-3                  4.13-3+deb10u1           4.13-3                   
  ■  8.8    gzip          1.9-3                   1.9-3+deb10u1            1.9-3+deb10u1            
  ■  8.8    liblzma5      5.2.4-1                 5.2.4-1+deb10u1          5.2.4-1+deb10u1          
  ■  7.8    libc-bin      2.28-10                 2.28-10+deb10u2          2.28-10+deb10u1          
  ■  7.8    libc6         2.28-10                 2.28-10+deb10u2          2.28-10+deb10u1          
  ■  7.8    libsystemd0   241-7~deb10u8           241-7~deb10u9            241-7~deb10u8            
  ■  7.8    libudev1      241-7~deb10u8           241-7~deb10u9            241-7~deb10u8            
  ■  7.5    dpkg          1.19.7                  1.19.8                   1.19.8                   
  ■  7.5    libgnutls30   3.6.7-4+deb10u7         3.6.7-4+deb10u10         3.6.7-4+deb10u8          
  ■  5.8    gpgv          2.2.12-1+deb10u1        2.2.12-1+deb10u2         2.2.12-1+deb10u2         
  ■  5.8    libncursesw6  6.1+20181013-2+deb10u2  6.1+20181013-2+deb10u3   6.1+20181013-2+deb10u2   
  ■  5.8    libtinfo6     6.1+20181013-2+deb10u2  6.1+20181013-2+deb10u3   6.1+20181013-2+deb10u2   
  ■  5.8    ncurses-base  6.1+20181013-2+deb10u2  6.1+20181013-2+deb10u3   6.1+20181013-2+deb10u3   
  ■  5.8    ncurses-bin   6.1+20181013-2+deb10u2  6.1+20181013-2+deb10u3   6.1+20181013-2+deb10u2   
  ■  0      libbz2-1.0    1.0.6-9.2~deb10u1       1.0.6-9.2~deb10u2        1.0.6-9.2~deb10u1        
  ■  0      tzdata        2021a-0+deb10u1         2021a-0+deb10u11         2021a-0+deb10u11    

Tar File

In cases where no container runtime is available, cnspec allows you to use the native support for OCI tar images:

docker save debian:11 -o debian11.tar

Then you can scan the container tar image via:

cnspec vuln container tar debian11.tar

Container Registry

cnspec has native support for all the major registries. You can use the container image subcommand to scan an image directly from a container registry. That does not require any container runtime and is save to run inside of a running container without mounted container engine.

cnspec vuln container image registry.hub.docker.com/library/debian:11