Windows Container Image Scanning [BETA]

Overview

Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.

This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.

Features

  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs
  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

Ways to Use

The Windows Scanning Inspector can be integrated into the CI/CD pipeline or deployed ad hoc during development.

CI/CD Pipeline

The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.

Ad Hoc Scanning

Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), VM, or Cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.

Installation

Prerequisites

Request a Quay secret from your Sysdig sales agent.

Install Scanning Inspector

  • Use the provided secret to authenticate with Quay:

    PULL_SECRET="enter secret"
    AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode)
    QUAY_USERNAME=${AUTH%:*}
    QUAY_PASSWORD=${AUTH#*:}
    docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io
    
  • Pull the Scanning Inspector component for Windows or Linux:

    • Window Host/Kernel: quay.io/sysdig/scanning-inspector-windows:latest

    • Linux Host/Kernel: :quay.io/sysdig/scanning-inspector-linux:latest

  • Run the --help command to see the parameters available for the Scanning Inspector.

    docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest --help
    

Parameters for Scanning Inspector

The --help command lists the available parameters and their usage. They can be divided into those related to scanning for vulnerabilities and generating a report, and those related to creating policies.

FlagDescriptionRequiredArgumentType
-f stringoutput formatyespdf or jsonVuln scan
-i or -image_identifier stringidentifier of the imageyes[my_image:my_tag]Vuln scan
-image_type stringimage typeyestar, daemon, pullVuln scan
-o string or -output string output file pathyesVuln scan
-output_format string output formatyespdf or jsonVuln scan
-fix_availablepolicy check for fixnoPolicy creation
-min_days_fix intMinimum number of days once a fix for the specific vulnerability is availablenodefault -1Policy Creation
-min_severity stringMinimum severity to fail for policy evaluationnoPolicy creation
t-stringThe image typeyestar, daemon, pull

Use Cases

Scan Remote Image and Save PDF Report

In this example, the Inspector should scan a remote image on a Linux host and save the resulting report as a PDF to ./scanResults.pdf

docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest \
  -t pull \ # pull image from remote repo
  -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 \ # inspect container name
  -f pdf \ # format
  -o /outdir/scanResults.pdf # output name

Scan Local Image Apply Policy Conditions and Generate JSON Report

In this example, the Inspector should:

  • Scan a local image on a Windows host

  • Mount the Docker socket to access the local image. This can be done with -v "//./pipe/docker_engine://./pipe/docker_engine" in Windows

  • Apply a policy to specify vulnerabilities with a minimum severity of high and a minimum number of days after the vulnerability fix is available set to 7.

  • If the scan does not pass, the container will have an exit 1 error.

  • The report is in JSON

docker run --rm -v $(pwd):/outdir -v "//./pipe/docker_engine://./pipe/docker_engine" quay.io/sysdig/scanning-inspector-windows:latest \
  -t daemon \ # Use local daemon for image scan
  -i nanoserver:10.0.17763.1518 # local image name
  -min_severity high # Any sev high or greater CVEs will fail the image scan policy
  -min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
  -f json \ # format
  -o /outdir/scanResults.json # output name



Last modified September 16, 2021: removed doubled command (9e7ec7f6)