Windows Container Image Scanning [BETA]

This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use

Overview

Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.

This is a standalone scanning engine. There is no centralized UI, management, or historical data.

Features

  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs
  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

Usage

You can integrate the Windows Scanning Inspector into the continuous integration and continuous delivery (CI/CD) pipeline or deploy ad hoc during development.

CI/CD Pipeline

The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.

Ad Hoc Scanning

Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), virtual machine, or cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.

Installation

Prerequisites

Install Scanning Inspector

  1. Use the provided secret to authenticate with Quay:

    PULL_SECRET="enter secret"
    AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode)
    QUAY_USERNAME=${AUTH%:*}
    QUAY_PASSWORD=${AUTH#*:}
    docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io
    
  2. Pull the Scanning Inspector component for Windows or Linux:

    • Window Host/Kernel: quay.io/sysdig/scanning-inspector-windows:latest

    • Linux Host/Kernel: :quay.io/sysdig/scanning-inspector-linux:latest

  3. Run the --help command to see the parameters available for the Scanning Inspector.

    docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest --help
    

Parameters for Scanning Inspector

The --help command lists the available parameters and their usage. They can be divided into those related to scanning for vulnerabilities and generating a report, and those related to creating policies.

FlagDescriptionRequiredArgumentType
-f stringoutput formatyespdf or jsonVuln scan
-i or -image_identifier stringidentifier of the imageyes[my_image:my_tag]Vuln scan
-image_type stringimage typeyestar, daemon, pullVuln scan
-o string or -output string output file pathyesVuln scan
-output_format string output formatyespdf or jsonVuln scan
-fix_availablepolicy check for fixnoPolicy creation
-min_days_fix intMinimum number of days once a fix for the specific vulnerability is availablenodefault -1Policy Creation
-min_severity stringMinimum severity to fail for policy evaluationnoPolicy creation
t-stringThe image typeyestar, daemon, pull

Use Cases

Scan Remote Image and Save PDF Report

In this example, the Inspector should scan a remote image on a Linux host and save the resulting report as a PDF to ./scanResults.pdf

docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest \
  -t pull \ # pull image from remote repo
  -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 \ # inspect container name
  -f pdf \ # format
  -o /outdir/scanResults.pdf # output name

Scan Local Image Apply Policy Conditions and Generate JSON Report

In this example, the Inspector should:

  • Scan a local image on a Windows host

  • Mount the Docker socket to access the local image. This can be done with -v "//./pipe/docker_engine://./pipe/docker_engine" in Windows

  • Apply a policy to specify vulnerabilities with a minimum severity of high and a minimum number of days after the vulnerability fix is available set to 7.

  • If the scan does not pass, the container will have an exit 1 error.

  • The report is in JSON

docker run --rm  -v $pwd/outdir:c:/outdir quay.io/sysdig/scanning-inspector-windows:latest 
     -t pull #Pulls a public image for evaluation. Authentication credentials are not (yet) supported.
     -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 # local image name
     -min_severity high # Any sev high or greater CVEs will fail the image scan policy
     -min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
     -f json # format
     -o outdir/scanResults.json # output name

The code above should be run in Windows Powershell as $(pwd) is a Powershell expression

To scan images residing locally downloaded into Windows Docker (those visible via “docker image list”), the -t daemon option needs to be used. For this to work the local socket needs to be mounted with -v //./pipe/docker_engine://./pipe/docker_engine

docker run --rm  -v $pwd/outdir:c:/outdir 
     -v //./pipe/docker_engine://./pipe/docker_engine
     quay.io/sysdig/scanning-inspector-windows:latest
     -t daemon 
     -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 
     -min_severity high  
     -min_days_fix 7 
     -f json 
     -o outdir/scanResults.json