Scanning containers for vulnerabilities with OpenSCAP and Podman
One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.
It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.
Red Hat Enterprise Linux (RHEL) 8.2 introduced the oscap-podman utility, which allows for container images to be scanned using OpenSCAP and Podman. This utility can both check for missing advisories in a container image, as well as assess security compliance of a container image against a baseline such as PCI-DSS.
I recently published a video, Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman, that covers this new utility and demonstrates how to use it.
The video covers the following topics:
- Scanning container images for vulnerabilities with oscap-podman
- Assessing security compliance of a container image with the PCI-DSS baseline with oscap-podman
- Using Buildah, one of the Red Hat Container Tools, to create a new image with one of the OpenSCAP findings remediated
If you are running containers in your environment, and want to do so more securely, try out the oscap-podman utility. In addition to the video, there is also documentation covering scanning the system for configuration compliance and vulnerabilities, which covers oscap-podman in sections 6.10 and 6.11.
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]