Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding docker security scanner? #6

Open
fzipi opened this issue Feb 13, 2020 · 10 comments
Open

Consider adding docker security scanner? #6

fzipi opened this issue Feb 13, 2020 · 10 comments
Assignees
@franbuehler
Labels
enhancement New feature or request

Comments

@fzipi
Copy link
Member

fzipi commented Feb 13, 2020

We may want to add an action for docker security scanning:

https://github.com/phonito/phonito-scanner-action
@franbuehler
Copy link
Contributor

I tried this in my fork and it works. We have vulnerabilities in our images though:

modsecurity-crs-docker
https://github.com/franbuehler/modsecurity-crs-docker/runs/1047826260?check_suite_focus=true:

Scan with Phonito Security
15s
##[error]Docker image contains vulnerabilities
Found vulnerabilities as of: Sun Aug 30 2020 14:26:14 GMT+0000 (Coordinated Universal Time)
┌──────────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID           │ Product │ Severity │ Installed Version │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1387    │ git     │ HIGH     │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1348    │ git     │ LOW      │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1353    │ git     │ CRITICAL │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2020-5260    │ git     │ HIGH     │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551    │ openssl │ MEDIUM   │ 1.1.1d            │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-1000156 │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-20969   │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6951    │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6952    │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-20633   │ patch   │ MEDIUM   │ 2.7.6             │
└──────────────────┴─────────┴──────────┴───────────────────┘

10 vulnerabilities present owasp/modsecurity-crs:3.3-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHktY3JzOjMuMy1hcGFjaGU=
##[error]Docker image contains vulnerabilities

I think a rebuild and push of the underlying owasp/modsecurity-docker image would already help, we have fewer vulnerabilities there:

modsecurity-docker
https://github.com/franbuehler/modsecurity-docker/runs/1047876721?check_suite_focus=true

 Scan with Phonito Security
14s
[PHONITO] Succesfully scanned image.
Run phonito/phonito-scanner-action@master
wget https://phonito-public-artifacts.azureedge.net/scanner/phonito-scanner -O /tmp/phonito-scanner --quiet
chmod +x /tmp/phonito-scanner
/tmp/phonito-scanner -i owasp/modsecurity:v2-apache --fail-level HIGH
Phonito Security scan complete!
Found vulnerabilities as of: Sun Aug 30 2020 14:58:57 GMT+0000 (Coordinated Universal Time)
┌───────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID        │ Product │ Severity │ Installed Version │
├───────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551 │ openssl │ MEDIUM   │ 1.1.1d            │
└───────────────┴─────────┴──────────┴───────────────────┘

1 vulnerabilities present owasp/modsecurity:v2-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHk6djItYXBhY2hl
[PHONITO] Succesfully scanned image.

Questions:
Do we want to add a schedule to the "build and push" workflows:

And do we want to extend the build and push with this security scan?

@bittner
Copy link
Contributor

bittner commented Aug 30, 2020

Adding a scheduled scan makes certainly sense. We should then only trigger rebuilding the image when necessary, e.g. when vulnerabilities were found.

@fzipi
Copy link
Member Author

fzipi commented Aug 30, 2020

This looks cool @franbuehler ! I think @bittner has a point in just creating a new one only when something is found. Do you need additional help with setting it up?

@bittner
Copy link
Contributor

bittner commented Aug 31, 2020

Whatever you can do that brings us forward is super-welcome!

We, at @vshn, would still need to invest time to verify the 4 main images (owasp/modsecurity:apache, owasp/modsecurity-crs:apache, and owasp/modsecurity:nginx, owasp/modsecurity-crs:nginx) in Production. We still maintain derivatives of our own image based on CRS 3.1, which is somewhat the "mother" of the changes we applied to the current images. I see some work ahead to align the last bits we might have overlooked when taking over our current features.

@franbuehler
Copy link
Contributor

Thank you @fzipi and @bittner
Ok, I'll try to implement this (when I find some time).

And yes, then we should investigate which changes are still missing in our official images and what else needs to be done.

@bittner
Copy link
Contributor

bittner commented Sep 14, 2020

Relates to coreruleset/modsecurity-docker#43.

@franbuehler franbuehler self-assigned this Dec 15, 2020
@MitchellCash
Copy link

Relates to coreruleset/modsecurity-docker#43.

I also just ran a trivy scan against owasp/modsecurity-crs:v3.3.2-nginx and it returned:

owasp/modsecurity-crs:v3.3.2-nginx (debian 10.10)
=================================================
Total: 323 (UNKNOWN: 0, LOW: 215, MEDIUM: 45, HIGH: 55, CRITICAL: 8)

Now that modsecurity-docker has moved to Alpine it would be nice to see modsecurity-crs-docker also move from Debian to Alpine.

NGINX maintain both Debian and Alpine images, so hopefully this is not a large increase in maintenance burden as we can still rely on default upstream images.

@fzipi
Copy link
Member Author

fzipi commented Nov 30, 2021

@MitchellCash Can you run it again now that we have alpine images? We still need to run this in a pipeline.

@fzipi fzipi added the enhancement New feature or request label Nov 30, 2021
@MitchellCash
Copy link

@fzipi Alpine based image looks good to me on the initial trivy scan (also the image is almost half the size)! Nice work!

Debian based image

owasp/modsecurity-crs:3.3.2-nginx (debian 11.1)
===============================================
Total: 232 (UNKNOWN: 0, LOW: 156, MEDIUM: 43, HIGH: 24, CRITICAL: 9)

Alpine based image 🥳

owasp/modsecurity-crs:3.3.2-nginx-alpine (alpine 3.14.3)
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@fzipi
Copy link
Member Author

fzipi commented Jan 18, 2022

Good, this matches my own tests. I don't think we can do too much in the debian image (I've checked a couple criticals, and they are still there :/ ).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@franbuehler franbuehler

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bittner @fzipi @MitchellCash @franbuehler