November 6, 2024

Secure Builds from Vulnerability Detection: Harness Open Source and Chainguard Images for Dockerfiles

Table of Contents

As developers, we love the flexibility and speed that Docker gives us, but it also means we need to pay close attention to security. Vulnerabilities in our base images can create serious risks, making it essential to have the right tools to catch these issues early. In this post, we’re going to dive into how Harness Open Source can help us detect vulnerabilities in Dockerfile base images. We’ll also look at Chainguard images, which can serve as secure base images with minimal or even no vulnerabilities. Let’s get started!

Why This Matters

When you’re building and deploying applications with Docker, security should always be at the top of your mind. Vulnerabilities in base images can open doors for attackers, leading to everything from data leaks to full-blown breaches. That’s why having a solid vulnerability detection process is critical. Harness Open Source provides a way to identify and fix these vulnerabilities before they become a problem, helping us maintain a secure development pipeline.

On top of that, the choice of base images really matters. Chainguard images are designed to be minimal and secure, making them a great choice for developers looking to reduce their risk. By using Chainguard images, you can build your applications on a foundation that prioritizes security, helping you focus on what you do best—building awesome software.

Getting Started with Harness Open Source

To kick things off, you’ll want to get Harness Open Source up and running. A great starting point is the quick start guide, which will help you set up your environment in no time. Once you’re up and running, you’ll need to import a repository that contains a Dockerfile. Check out the import repository documentation for detailed steps. Just make sure your repository has a Dockerfile located at the root.

Dockerfile Vulnerability Scanner Pipeline

Now, let’s dive into the pipeline that will help us identify vulnerabilities in our Dockerfile’s base images. This pipeline does a couple of critical things:

  1. Scans Base Images: It scans all base images specified in the Dockerfile using Grype, a powerful vulnerability scanner. If any critical vulnerabilities are found, we want to know about them right away!
  2. Sends Notifications: If a critical vulnerability is detected, the pipeline sends a notification to a specified webhook so you can take immediate action.

To set this up, you’ll first need to create a unique webhook URL to receive notifications. A simple way to do this is by visiting webhook.site and copying the generated URL. Once you have that, make sure to add it as a secret in your Harness project under the name webhook_url.

version: 1
kind: pipeline
spec:
  stages:
    - name: dockerfile-vuln-check
      type: ci
      spec:
        steps:
          - name: dockerfile-vuln-scan
            type: run
            spec:
              container: alpine
              script: |
                apk add --no-cache curl
                curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /tmp/grype-bin

                # Extract all base images from the Dockerfile
                BASE_IMAGES=$(grep '^FROM' Dockerfile | awk '{print $2}')

                # Check if any base images were found
                if [ -z "$BASE_IMAGES" ]; then
                  echo "No base images found in Dockerfile."
                  exit 1
                fi

                # Loop through and scan each base image
                echo "Running vulnerability scan on base images..."
                for IMAGE in $BASE_IMAGES; do
                  echo "$IMAGE"
                  /tmp/grype-bin/grype $IMAGE --fail-on critical
                done

                echo "Base image vulnerability scan is completed!"
          - name: notify
            type: plugin
            when: failure()
            spec:
              name: webhook
              inputs:
                content_type: application/json
                urls: ${{ secrets.get("webhook_url") }}
                template: |
                  Name: ⚠ Dockerfile Vulnerability Alert ⚠
                  Repo Name: {{ repo.name }}
                  Build Number {{ build.number }}
                  Build Event: {{ build.event }}
                  Build Link: {{build.link}}
Dockerfile Vulnerability Scan Pipeline Execution
Pipeline Notification on Vulnerability

Take Action with Chainguard Images and Harness Open Source

Now, it’s time to take action! Consider swapping out your vulnerable base images with compatible ones from Chainguard, which are designed with security in mind. You can browse available images at the Chainguard image registry. A sample pipeline execution is shown below, where the notify step didn’t run because the previous step didn’t fail due to the use of Chainguard images.

No vulnerabilities found with Chainguard images

Run This Pipeline as a Cron Job

To ensure continuous monitoring of vulnerabilities in your Dockerfile base images, you can set up a cron job to run your pipeline at regular intervals. This automation can help you stay proactive about security without manual intervention. Here’s how to set it up on your operating system:

  1. Open your terminal. Depending on your OS, you can access your terminal as follows:
    • Linux/macOS: Open the Terminal application.
    • Windows: Use Windows Subsystem for Linux (WSL) or Git Bash.

Edit your crontab file. Enter the following command to open your crontab for editing:

crontab -e

2. Add a cron job. You can check out the Swagger API to find the command for pipeline execution. To set up your pipeline to run every day at a specific time (for example, 2 AM), add the following line to your crontab:

0 2 * * * curl -X 'POST' 'http://localhost:3000/api/v1/repos/YOUR_PROJECT_NAME%2FYOUR_REPO_NAME/pipelines/YOUR_PIPELINE_NAME/executions?branch=BRANCH_NAME' -H 'accept: application/json' -H "Authorization: Bearer YOUR_TOKEN"

3. Explanation of the cron syntax: 0 2 * * * indicates the job will run at 2:00 AM every day.

4. Replace YOUR_PROJECT_NAME, YOUR_REPO_NAME, YOUR_PIPELINE_NAME, BRANCH_NAME, and YOUR_TOKEN with your actual project details and authorization token.

5. Save and exit. After adding the cron job, save your changes and exit the editor. The new cron job will now be scheduled to run at the specified time.

Make sure you set up this cron job on the same machine where your Harness Open Source instance is running. By doing so, you ensure that your pipeline runs automatically, continuously scanning for vulnerabilities and sending alerts as needed. This practice helps maintain a secure development environment with minimal effort on your part.

Build on Harness Open Source

Harness Open Source can scan for secrets with Gitleaks, scan container images for vulnerabilities with Grype, and provide a more secure build with Chainguard images. Be sure to check out the documentation and our YouTube videos for more insights on enhancing your development practices!

No items found.
No items found.
No items found.