Why choose Panoptica?
Four reasons you need the industry’s leading cloud-native security solution.
Is relying on
node:latest as your base image a safe choice? It's effective from a developer productivity standpoint as you're up and running quickly.
Have you ever wondered if the image is secure?
This blog post examines the potential security implications of using
node:latest as your base image.
We want to determine if
node:latest is vulnerable, and if so, to what extent. To see some results quickly, we'll use the
grype command line scanning tool:
As you can see in the animation, the output is pervasive. What it comes down to, are the following lines:
➜ grype node:latest ✔ Vulnerability DB [no update available] ✔ Loaded image node:latest ✔ Parsed image sha256:7828fdf71577e0d266f905d26d27e46ac418ac2fa8fc05a78ad01c8811b7abb6 ✔ Cataloged packages [683 packages] ✔ Scanned for vulnerabilities [770 vulnerability matches] ├── by severity: 3 critical, 59 high, 230 medium, 30 low, 430 negligible (18 unknown) └── by status: 56 fixed, 714 not-fixed, 0 ignored
The default image contains 770 vulnerabilities. How would you ship something so vulnerable into production?
Let's look closer to see what exactly
grype found and what we need to address.
Seeing the above output does not feel great. Does that mean you shouldn't rely on this image?
No. Instead, it is an opportunity to investigate deeper and make conscious decisions about using this image.
The report outlines four hundred thirty reported issues as negligible, meaning their impact on overall security does not have a significant effect, if at all.
What matters more is the number of high and critical findings. Depending on the vulnerability, an attacker can easily leverage it to access the system or worse.
We also want to keep an eye on the number of fixed packages.
This number indicates how many vulnerabilities have a fix available we can easily apply.
While it may be challenging to reach zero vulnerabilities, we can work proactively toward it to reduce the number as much as possible.
A good starting point, in this case, is to run
apt-get update && apt-get upgrade -y as part of the image-building process, perhaps even in a base image.
Doing a one-off scan is excellent for understanding a specific image version's overall state of security.
What's the next step?
Ideally, you want to see which images are most affected by security vulnerabilities without running a one-off scan first. As developers push new image versions, image repositories need to get scanned continuously.
Also, we want to understand how many images and currently active workloads are affected whenever a new critical CVE surfaces.
Panoptica excels in both use cases.
If you're using Amazon AWS (the same applies to Google Cloud Platform and Microsoft Azure), you can connect to Panoptica to gain additional security insights.
The screenshot above shows a Node.js base image hosted on AWS ECR.
Panoptica automatically scans ECR repositories in connected accounts to provide vulnerability insights. At a glance, you can see the number of found vulnerabilities, categorized by severity.
As we drill down, we get information on the most critical CVEs:
Instead of asking each team to enhance their CI/CD pipeline to add vulnerability scanning, with Panoptica, you get data automatically.
It saves you time and nerves as you can check data immediately, for instance, when a new CVE hits the news.
From the view above it is also straightforward to share important information with others, as you can forward a link to a colleague or create a ticket (e.g. Jira or ServiceNow) right away.
It is feasible to rely on the
node Docker image. Yet, instead of directly deploying an image into production, adopt the habit of scanning it first. The more insight you have, the better.
Once the next critical CVE is on the news, with Panoptica, you immediately see if you're affected in any way. Just because it's
latest does not automatically mean it is secure.
Use Panoptica's data to ship patched versions or build a smaller base image with a smaller package footprint.
Interested in image scanning and other security features? Sign up for Panoptica today.