7.9. Scanning Containers and Container Images for Vulnerabilities

Use these procedures to find security vulnerabilities in a container or a container image.
You can use either the oscap-docker command-line utility or the atomic scan command-line utility to find security vulnerabilities in a container or a container image.
With oscap-docker, you can use the oscap program to scan container images and containers.
With atomic scan, you can use OpenSCAP scanning capabilities to scan container images and containers on the system. You can scan for known CVE vulnerabilities and for configuration compliance. Additionally, you can remediate container images to the specified policy.

7.9.1. Scanning Container Images and Containers for Vulnerabilities Using oscap-docker

You can scan containers and container images using the oscap-docker utility.

Note

The oscap-docker command requires root privileges and the ID of a container is the second argument.

Prerequisites

  • The openscap-containers package is installed.

Procedure

  1. Find the ID of a container or a container image, for example:
    ~]# docker images
    REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
    registry.access.redhat.com/ubi7/ubi   latest   096cae65a207   7 weeks ago   239 MB
    
  2. Scan the container or the container image for vulnerabilities and save results to the vulnerability.html file:
    ~]# oscap-docker image-cve 096cae65a207 --report vulnerability.html

    Important

    To scan a container, replace the image-cve argument with container-cve.

Verification

  1. Inspect the results in a browser of your choice, for example:
    ~]$ firefox vulnerability.html &

Additional Resources

  • For more information, see the oscap-docker(8) and oscap(8) man pages.

7.9.2. Scanning Container Images and Containers for Vulnerabilities Using atomic scan

With the atomic scan utility, you can scan containers and container images for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat. The atomic scan command has the following form:
~]# atomic scan [OPTIONS] [ID]
where ID is the ID of the container image or container you want to scan.

Use cases

  • To scan all container images, use the --images directive.
  • To scan all containers, use the --containers directive.
  • To scan both types, use the --all directive.
  • To list all available command-line options, use the atomic scan --help command.
The default scan type of the atomic scan command is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.

Prerequisites

Procedure

  1. Verify you have the latest OpenSCAP container image to ensure the definitions are up to date:
    ~]# atomic help registry.access.redhat.com/rhel7/openscap | grep version 

    Important

    Red Hat provides weekly updates of the container image. Always use the latest OpenSCAP container image to ensure your OVAL definitions used by the CVE scan type are up to date.
  2. Scan a RHEL 7.2 container image with several known security vulnerabilities:
    ~]# atomic scan registry.access.redhat.com/rhel7:7.2 
    docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
    
    registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718)
    
    The following issues were found:
    
     RHSA-2017:2832: nss security update (Important)
     Severity: Important
    	 RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832
    	 RHSA ID: RHSA-2017:2832-01
    	 Associated CVEs:
    			 CVE ID: CVE-2017-7805
    			 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805
    ...

Additional Resources