Image Scanning in your CI/CD pipeline

CI/CD is a way of developing software where code changes are constantly integrated and delivered. It's also an integral part of leveraging "Infrastructure as a Code" - a principle used more and more due to its predictability and declarative approach. This means that code changes are integrated early and often, and that they are verified through automation to make sure that they work correctly. This helps to find and fix issues early, before they become a problem. Although modern cloud-native tools have enabled automation across CI/CD pipelines, the automation of the vulnerability management process has lagged behind.

‍

Challenge

Using a vulnerable image in production might put your applications at great risk. Before you go into production with container images, you now have the opportunity to stop and check if the image is vulnerable. Being able to analyze a workload or infrastructure setup before it’s deployed (deployed = potential vulnerabilities exposed already) is a major increase in the security posture within the company. Runecast already addresses the shift-left image scanning approach by providing a webhook for K8s admission controller, however it’s now even more flexible. 

‍
Adding an Image Scanning Stage to the Pipeline (more automation)

A public API endpoint is now available for Image Scanning from your CI/CD pipeline. You can also use this API endpoint in other platforms, software or other tools where you need to scan container images for CVE vulnerabilities. 

The API endpoint can be used to scan one or more images. Additionally you can specify the policy ID to evaluate against the severity of the vulnerability and the availability of fixes for the detected vulnerability.

‍

To scan one or more images use the following command: 

{% code-block language="shell" %}
curl -X POST -H "Authorization: <your API token>" -H "Content-Type: application/json;charset=UTF-8" https://<appliance IP>/rc2/api/v2/images-scan-requests -d '{"imageNames": ["<image1>","<image2>"],"policyId": 1}'
{% code-block-end %}

The response from the API can be used to decide whether the CI/CD pipeline will continue, or reject the image.  If the predefined policies are not suitable, the full scan result is available so any custom evaluation logic can be implemented. Furthermore, the results can also be reviewed in the Runecast UI and even shared between different teams by using a specific URL. More examples can be found here in our Runecast User Guide.

‍

If security scans are integrated into segments of CI/CD pipelines, teams can detect, track, and resolve security issues early on in the development process. This allows teams to proactively reduce the risk of vulnerabilities by using non-vulnerable packages and libraries or changing to a secure container image version.  This is the approach that best fits the DevOps philosophy, as it allows us to automate and analyze the images that we build. 

‍

This publicly available API means that users of Runecast can integrate our powerful image scanning and vulnerability management functions directly into their CI/CD pipeline. Along with our admission webhook, this gives our users more options and flexibility of deployment, while keeping the same strength of analysis and protection that people have come to expect from Runecast.

To find out how you can automate security and increase your DevSecOps efficiency, contact us for a demo.