Skip to main content

Container Security

Mondoo is designed to integrate into your developer workflows to catch security vulnerabilities and misconfigurations before they reach production.

In this quickstart, we will cover how you can use Mondoo to quickly test container images for security vulnerabilities, advisories, and exploits in order to better assess risk before deploying images to production.

Prerequistes:

To follow along you will need have the following:

  • Mondoo Account
  • Mondoo Command Line Interface (CLI) installed and configured

Step 1: Scan a Public Docker Image in Docker Hub

Mondoo CLI scans Docker containers using the mondoo scan -t docker:// command. This one command allows you to scan docker images that are:

  • Local Image - mondoo scan -t docker://<image_id>
  • Running Image - mondoo scan -t docker://<container_id>
  • Container Registry Image - mondoo scan -t cr://registry

To help you assess container images for security vulnerabilities, the Policy Hub in the Mondoo Platform comes preloaded with the Platform Vulnerability Policy that assesses assets for known vulnerabilities, advisories, and exploits, and scores the asset based off of the scan results.

Let’s use the Mondoo CLI to scan the official Ubuntu public image in Docker Hub. We will pass the --incognito flag and skip sending the results to Mondoo for now:

Scan a Public Docker Image

mondoo scan -t docker://ubuntu:latest --policy '//policy.api.mondoo.app/policies/platform-vulnerability' --incognito

With incognito mode, scan results are only outputted to your terminal.

Step 2: Understanding the Scan Results

Mondoo Policy carry a simple numeric summary score between 0 - 100 and the total score ranges follow this model:

score:
80 .. 100 A (100 A+ 95 A 85 A- 80)
60 .. 79 B ( 79 B+ 75 B 65 B- 60)
30 .. 59 C ( 59 C+ 50 C 40 C- 30)
10 .. 29 D ( 29 D+ 25 D 15 D- 10)
0 .. 9 F

In the case of the ubuntu:latest image, there are no vulnerabilities, so the score 100, or A+.

54ab604fab8d
============

β”Œβ–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β”
β”‚ _ β”‚
β”‚ /_\ + Excellent 100/100 β”‚
β”‚ / _ \ 100% complete β”‚
β”‚ /_/ \_\ β–„β–„ β–„β–„ β–„β–„ β–„β–„ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

This basic approach to scanning can be used to assess any public image in Docker hub before deploying it in your own environment, but also works with other major container registries:

mondoo scan -t docker://index.docker.io/
mondoo scan -t docker://index.docker.io/namespace/repository
mondoo scan -t docker://harbor.yourdomain.com
mondoo scan -t docker://harbor.yourdomain.com/project/repository
mondoo scan -t docker://yourname.azuredocker.io
mondoo scan -t docker://123456789.dkr.edocker.us-east-1.amazonaws.com/repository
mondoo scan -t docker://gcr.io/google-containers/ubuntu:14.04

Step 3: Scanning Docker Images During Development

For developers building containers, it is important to be able to assess images during development before publishing to any container registry for deployment.

The next example requires Docker Desktop is installed and configured on your workstation.

Just so we are on the same page, let's pull down the latest official Redis image from Docker Hub:

docker pull redis:latest

Now run docker images to list the images locally:

docker images

REPOSITORY TAG IMAGE ID CREATED SIZE
redis latest 3d603c37981a 2 weeks ago 99.7MB

Using the IMAGE ID we can scan the image locally:

mondoo scan -t docker://3d603c37981a --incognito --policy '//policy.api.mondoo.app/policies/platform-vulnerability'

This image is also free of vulnerabilites and received an A+ score.

Platform Vulnerability Policy
-----------------------------

β”Œβ–„β–„β–„β–„β–„β–„β–„β–„β–„β”
β”‚ _ β”‚ Policy: Platform Vulnerability Policy
β”‚ /_\ + β”‚ Version: 1.0.0
β”‚ / _ \ β”‚ Score: 100 (completion: 100%)
β”‚ /_/ \_\ β”‚ CVSS: 0.0
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β”Œβ”€ Packages ───────────────────────────┐
β”‚ Total: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 86 β”‚
β”‚ Critical: 0 β”‚
β”‚ High: 0 β”‚
β”‚ Medium: 0 β”‚
β”‚ Low: 0 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β–  No advisories found (passed)

Additional Checks:
β–  Platform is not end-of-life (passed)


Summary
=======

Asset Overview

β–  A+ sharp_blackburn

Aggregated Policy Overview

Platform Vulnerability Policy β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ A: 1

Step 4: Scanning Running Containers

Mondoo can also scan running containers by passing their container_id to the docker:// transport.

Let's run the redis image, and scan it:

docker run -t -d redis:latest

Run the docker ps command to get the CONTAINER ID:

docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
660dcbb47cb9 redis:latest "docker-entrypoint.s…" 4 seconds ago Up 4 seconds 6379/tcp sharp_blackburn

Scan the running container with mondoo:

mondoo scan -t docker://<container_id> --incognito --policy '//policy.api.mondoo.app/policies/platform-vulnerability'

Step 5: Scanning All Running Containers

Mondoo has the ability to discover nested assets by passing --discover to the docker:// transport.

There are three discovery options for the docker transport:

  • all which scans both running containers & images.
  • container which scans only running containers.
  • container-images which scans container-images on the host.

Pass container to the scan command.

Scan all running containers with mondoo:

mondoo scan -t docker:// --discover container --incognito --policy '//policy.api.mondoo.app/policies/platform-vulnerability'

Next Steps

Building, deploying, and managing containers securely is a continous process that requires collabortion across teams within your organization. Mondoo integrates into your developer workflows by integrating into any CI/CD tooling including Github Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps Pipelines, and more. For more information on this check out our docs on CI/CD.

Up to this point we have just been scanning assets with one policy and analyzing the results via the command line, but this is just scratching the surfacce with what you can do with Mondoo. In the next section we will show you how to setup Mondoo Platform to run multiple Policies to run continuously against your assets.