This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Windows Container Image Scanning [BETA]

    This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use

    Overview

    Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.

    This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.

    Features

    • Identify Windows container image vulnerabilities from:

      • Windows OS CVEs

    • Windows or Linux hosts

    • Reports in JSON and PDF

    • Policy support

      • Severity

      • Fix available

      • Days since fixed

    Ways to Use

    The Windows Scanning Inspector can be integrated into the CI/CD pipeline or deployed ad hoc during development.

    CI/CD Pipeline

    The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.

    Ad Hoc Scanning

    Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), VM, or Cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.

    Installation

    Prerequisites

    Request a Quay secret from your Sysdig sales agent.

    Install Scanning Inspector

    1. Use the provided secret to authenticate with Quay:

      PULL_SECRET="enter secret"
AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode)
QUAY_USERNAME=${AUTH%:*}
QUAY_PASSWORD=${AUTH#*:}
docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io

    2. Pull the Scanning Inspector component for Windows or Linux:

      • Window Host/Kernel: quay.io/sysdig/scanning-inspector-windows:latest

      • Linux Host/Kernel: :quay.io/sysdig/scanning-inspector-linux:latest

    3. Run the --help command to see the parameters available for the Scanning Inspector.

      docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest --help

    Parameters for Scanning Inspector

    The --help command lists the available parameters and their usage. They can be divided into those related to scanning for vulnerabilities and generating a report, and those related to creating policies.

    FlagDescriptionRequiredArgumentType
    -f stringoutput formatyespdf or jsonVuln scan
    -i or -image_identifier stringidentifier of the imageyes[my_image:my_tag]Vuln scan
    -image_type stringimage typeyestar, daemon, pullVuln scan
    -o string or -output stringĀ output file pathyesVuln scan
    -output_format stringĀ output formatyespdf or jsonVuln scan
    -fix_availablepolicy check for fixnoPolicy creation
    -min_days_fix intMinimum number of days once a fix for the specific vulnerability is availablenodefault -1Policy Creation
    -min_severity stringMinimum severity to fail for policy evaluationnoPolicy creation
    t-stringThe image typeyestar, daemon, pull

    Use Cases

    Scan Remote Image and Save PDF Report

    In this example, the Inspector should scan a remote image on a Linux host and save the resulting report as a PDF to ./scanResults.pdf

    docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest \
  -t pull \ # pull image from remote repo
  -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 \ # inspect container name
  -f pdf \ # format
  -o /outdir/scanResults.pdf # output name

    Scan Local Image Apply Policy Conditions and Generate JSON Report

    In this example, the Inspector should:

    • Scan a local image on a Windows host

    • Mount the Docker socket to access the local image. This can be done with -v "//./pipe/docker_engine://./pipe/docker_engine" in Windows

    • Apply a policy to specify vulnerabilities with a minimum severity of high and a minimum number of days after the vulnerability fix is available set to 7.

    • If the scan does not pass, the container will have an exit 1 error.

    • The report is in JSON

    docker run --rm -v $(pwd):/outdir -v "//./pipe/docker_engine://./pipe/docker_engine" quay.io/sysdig/scanning-inspector-windows:latest \
  -t daemon \ # Use local daemon for image scan
  -i nanoserver:10.0.17763.1518 # local image name
  -min_severity high # Any sev high or greater CVEs will fail the image scan policy
  -min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
  -f json \ # format
  -o /outdir/scanResults.json # output name