8.9. Scanning Containers and Container Images for Vulnerabilities
Use these procedures to find security vulnerabilities in a container or a container image.
You can use either the
oscap-dockercommand-line utility or the
atomic scancommand-line utility to find security vulnerabilities in a container or a container image.
oscap-docker, you can use the
oscapprogram to scan container images and containers.
atomic scan, you can use OpenSCAP scanning capabilities to scan container images and containers on the system. You can scan for known CVE vulnerabilities and for configuration compliance. Additionally, you can remediate container images to the specified policy.
8.9.1. Scanning Container Images and Containers for Vulnerabilities Using
You can scan containers and container images using the
oscap-dockercommand requires root privileges and the ID of a container is the second argument.
- The openscap-containers package is installed.
- Find the ID of a container or a container image, for example:
~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ubi latest 096cae65a207 7 weeks ago 239 MB
- Scan the container or the container image for vulnerabilities and save results to the vulnerability.html file:
~]#oscap-docker image-cve 096cae65a207 --report vulnerability.html
ImportantTo scan a container, replace the
- Inspect the results in a browser of your choice, for example:
~]$firefox vulnerability.html &
- For more information, see the
8.9.2. Scanning Container Images and Containers for Vulnerabilities Using
atomic scanutility, you can scan containers and container images for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat. The
atomic scancommand has the following form:
where ID is the ID of the container image or container you want to scan.
atomic scanfunctionality is deprecated, and the OpenSCAP container image is no longer updated for new vulnerabilities. Therefore, prefer the
oscap-dockerutility for vulnerability scanning purposes.
- To scan all container images, use the
- To scan all containers, use the
- To scan both types, use the
- To list all available command-line options, use the
The default scan type of the
atomic scancommand is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.
- You have downloaded and installed the OpenSCAP container image from Red Hat Container Catalog (RHCC) using the
atomic install rhel7/openscapcommand.
- Verify you have the latest OpenSCAP container image to ensure the definitions are up to date:
~]#atomic help registry.access.redhat.com/rhel7/openscap
- Scan a RHEL 7.2 container image with several known security vulnerabilities:
~]#atomic scan registry.access.redhat.com/rhel7:7.2 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718) The following issues were found: RHSA-2017:2832: nss security update (Important) Severity: Important RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832 RHSA ID: RHSA-2017:2832-01 Associated CVEs: CVE ID: CVE-2017-7805 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805 ...
- Product Documentation for Red Hat Enterprise Linux Atomic Host contains a detailed description of the
atomiccommand usage and containers.
- The Red Hat Customer Portal provides a guide to the Atomic command-line interface (CLI).