Windows Container Image Scanning [BETA]

Overview

Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.

Note

This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.

Features

  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs

  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

Ways to Use

The Windows Scanning Inspector can be integrated into the CI/CD pipeline or deployed ad hoc during development.

CI/CD Pipeline

The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.

win_scan_cicd.png

Ad Hoc Scanning

Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), VM, or Cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.

Installation

Prerequisites

Request a Quay secret from Sysdig Support.

Install Scanning Inspector

  1. Use the provided secret to authenticate with Quay:

    PULL_SECRET="enter secret"
    AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode)
    QUAY_USERNAME=${AUTH%:*}
    QUAY_PASSWORD=${AUTH#*:}
    docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io 
  2. Pull the Scanning Inspector component for Windows or Linux:

    • Window Host/Kernel: quay.io/sysdig/scanning-inspector-windows:latest

    • Linux Host/Kernel: :quay.io/sysdig/scanning-inspector-linux:latest

  3. Run the --help command to see the parameters available for the Scanning Inspector.

    docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest --help

Parameters for Scanning Inspector

The --help command lists the available parameters and their usage. They can be divided into those related to scanning for vulnerabilities and generating a report, and those related to creating policies.

Flag

Description

Required

Argument

Type

-f string

output format

yes

pdf or json

Vuln scan

-i or -image_identifier string

identifier of the image

yes

[my_image:my_tag]

Vuln scan

-image_type string

image type

yes

tar, daemon, pull

Vuln scan

-o string or -output string 

output file path

yes

Vuln scan

-output_format string 

output format

yes

pdf or json

Vuln scan

-fix_available

policy check for fix

no

Policy creation

-min_days_fix int

Minimum number of days once a fix for the specific vulnerability is available

no

default -1

Policy Creation

-min_severity string

Minimum severity to fail for policy evaluation

no

Policy creation

t-string

The image type

yes

tar, daemon, pull

Use Cases

Scan Remote Image and Save PDF Report

In this example, the Inspector should scan a remote image on a Linux host and save the resulting report as a PDF to ./scanResults.pdf

docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest \
  -t pull \ # pull image from remote repo
  -i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 \ # inspect container name
  -f pdf \ # format
  -o /outdir/scanResults.pdf # output name 

Scan Local Image Apply Policy Conditions and Generate JSON Report

In this example, the Inspector should:

  • Scan a local image on a Windows host

  • Apply a policy to specify vulnerabilities with a minimum severity of high and a minimum number of days after the vulnerability fix is available set to 7.

  • If the scan does not pass, the container will have an exit 1 error.

  • The report is in JSON

docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-windowss:latest \
  -t daemon \ # Use local daemon for image scan
  -i nanoserver:10.0.17763.1518 # local image name
  -min_severity high # Any sev high or greater CVEs will fail the image scan policy
  -min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
  -f json \ # format
  -o /outdir/scanResults.json # output name