Scan docker image that is not running #6501

candrews · 2023-04-17T20:49:37Z

Detailed Description

Currently, to scan a docker image, container for that image must be running.

For example, to scan alpine:latest:

export CT=alpine:latest
CID=$(podman run --rm -d -i --init --entrypoint=/bin/cat ${CT})
inspec exec linux-baseline/ -t docker://${CID}

It would be great to be able to run something like this:

inspec exec linux-baseline/ -t docker://alpine:latest

which would scan alpine:latest without having it running as a container.

For security scanning purposes, it's desirable to not have to start the image.
Some images don't have /bin/sh or /bin/cat or really anything else in them (the chef/inspec image is an example of such a "distroless" image). Scanning such images is currently difficult and a strategy unique to that image must be found. If the image didn't have to be running as a container in order to be scanned, image scanning could be done more generically.

OpenSCAP has this capability. The approach it takes is to extract the image to a directory then scan that directory. The implementation for docker (which also works for podman via the docker API) can be found at https://github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-docker.in However, it's written in python which is a bit more challenging to follow than the podman specific implementation at https://github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-podman which implements the same approach in shell.

The text was updated successfully, but these errors were encountered:

clintoncwolfe · 2023-05-02T12:23:45Z

clintoncwolfe added the Type: New Feature Adds new functionality label May 2, 2023

aaronlippold added the Partner: MITRE label Aug 24, 2023