8.9. Scanning Containers and Container Images for Vulnerabilities
Use these procedures to find security vulnerabilities in a container or a container image.
You can use either the
oscap-docker
command-line utility or the atomic scan
command-line utility to find security vulnerabilities in a container or a container image.
With
oscap-docker
, you can use the oscap
program to scan container images and containers.
With
atomic scan
, you can use OpenSCAP scanning capabilities to scan container images and containers on the system. You can scan for known CVE vulnerabilities and for configuration compliance. Additionally, you can remediate container images to the specified policy.
8.9.1. Scanning Container Images and Containers for Vulnerabilities Using oscap-docker
You can scan containers and container images using the
oscap-docker
utility.
Note
The
oscap-docker
command requires root privileges and the ID of a container is the second argument.
Prerequisites
- The openscap-containers package is installed.
Procedure
- Find the ID of a container or a container image, for example:
~]#
docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ubi latest 096cae65a207 7 weeks ago 239 MB - Scan the container or the container image for vulnerabilities and save results to the vulnerability.html file:
~]#
oscap-docker image-cve 096cae65a207 --report vulnerability.htmlImportant
To scan a container, replace theimage-cve
argument withcontainer-cve
.
Verification
- Inspect the results in a browser of your choice, for example:
~]$
firefox vulnerability.html &
Additional Resources
- For more information, see the
oscap-docker(8)
andoscap(8)
man pages.
8.9.2. Scanning Container Images and Containers for Vulnerabilities Using atomic scan
With the
atomic scan
utility, you can scan containers and container images for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat. The atomic scan
command has the following form:
~]#
atomic scan[OPTIONS]
[ID]
where ID is the ID of the container image or container you want to scan.
Warning
The
atomic scan
functionality is deprecated, and the OpenSCAP container image is no longer updated for new vulnerabilities. Therefore, prefer the oscap-docker
utility for vulnerability scanning purposes.
Use cases
- To scan all container images, use the
--images
directive. - To scan all containers, use the
--containers
directive. - To scan both types, use the
--all
directive. - To list all available command-line options, use the
atomic scan
--help
command.
The default scan type of the
atomic scan
command is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.
Prerequisites
- You have downloaded and installed the OpenSCAP container image from Red Hat Container Catalog (RHCC) using the
atomic install rhel7/openscap
command.
Procedure
- Verify you have the latest OpenSCAP container image to ensure the definitions are up to date:
~]#
atomic help registry.access.redhat.com/rhel7/openscap| grep
version - Scan a RHEL 7.2 container image with several known security vulnerabilities:
~]#
atomic scan registry.access.redhat.com/rhel7:7.2 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718) The following issues were found: RHSA-2017:2832: nss security update (Important) Severity: Important RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832 RHSA ID: RHSA-2017:2832-01 Associated CVEs: CVE ID: CVE-2017-7805 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805 ...
Additional Resources
- Product Documentation for Red Hat Enterprise Linux Atomic Host contains a detailed description of the
atomic
command usage and containers. - The Red Hat Customer Portal provides a guide to the Atomic command-line interface (CLI).