Improve Security with this One-Liner

November 4, 2021 | By: Brice Dekany

Picture this: You are searching through the backlog for a nice feature to develop and play with. The day looks nice, the sky is clear, and you’re listening to lo-fi on youtube.

That’s when the infamous security team entered the room/slack channel with their usual complaint: We want more security!

We know that security is essential. I am pretty sure you’ve read Project Unicorn and know this quote: “If a developer ever has a choice between working on a feature or security, they should always choose security.”

The worst security issue of your cloud native app is the part you don’t manage: The Base layer in your containerized app.
Palo Alto found that 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. Scary.

What if I told you that you could improve security just by changing the FROM in your Dockerfile?
Wait, don’t run away!
What if I told you that changing the FROM image won’t break all the language frameworks or dependencies?

SUSE has just released a brand new set of lightweight hardened tech-preview container images (SLE BCI) targeted to developers and operators.

Let’s take a look at the security number with Trivy. Trivy scans existing OCI Images or source files and detects Known Security Issues (aka CVE).

Golang: Official Docker Hub vs. SLE Registry

The result is quite Hardcore. Let’s say it’s a no-match:

# trivy image golang | grep Total -B2
golang (debian 11.1)
====================
Total: 307 (UNKNOWN: 1, LOW: 240, MEDIUM: 39, HIGH: 16, CRITICAL: 11)

# trivy image registry.suse.com/bci/golang:1.16 | grep Total -B2
registry.suse.com/bci/golang:1.16 (suse linux enterprise server 15.3)
=====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

NodeJS: Official Docker Hub vs. SLE Registry

If you thought golang was a slice of swiss cheese, take a look at node’s official image:

# trivy image node | grep Total -B2
node (debian 11.1)
==================
Total: 713 (UNKNOWN: 2, LOW: 497, MEDIUM: 140, HIGH: 59, CRITICAL: 15)
--
Node.js (node-pkg)
==================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

# trivy image registry.suse.com/bci/nodejs:14 | grep Total -B2
registry.suse.com/bci/nodejs:14 (suse linux enterprise server 15.3)
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
--
Node.js (node-pkg)
==================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)

Python: Official Docker Hub vs. SLE Registry

Last but not least, my favorite language: Python. And it’s a shame:

# trivy image python:3.9 | grep Total -B2
python:3.9 (debian 11.1)
========================
Total: 738 (UNKNOWN: 2, LOW: 520, MEDIUM: 142, HIGH: 59, CRITICAL: 15)
--
Python (python-pkg)
===================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

# trivy image registry.suse.com/bci/python:3.9 | grep Total -B2
registry.suse.com/bci/python:3.9 (suse linux enterprise server 15.3)
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
--
Python (python-pkg)
===================
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

Of course, all the SLE BCI images have the development and build tool dedicated to a specific language. Give it a try!

Just replace the FROM line in your Dockerfile with one of the base Images built and maintained by SUSE.

(Visited 1 times, 1 visits today)

Aug 08th, 2022

Improve Security with this One-Liner

Golang: Official Docker Hub vs. SLE Registry

NodeJS: Official Docker Hub vs. SLE Registry

Python: Official Docker Hub vs. SLE Registry

Related Articles

Cloud Modernization Best Practices

Verify Image Signatures with GitHub Actions and KeylessPrefix

A Guide to Using Rancher for Multicloud Deployments

Enterprise and Edge Scale Security with NeuVector Container Security 5.1