As developers, we love the flexibility and speed that Docker gives us, but it also means we need to pay close attention to security. Vulnerabilities in our base images can create serious risks, making it essential to have the right tools to catch these issues early. In this post, we’re going to dive into how Harness Open Source can help us detect vulnerabilities in Dockerfile base images. We’ll also look at Chainguard images, which can serve as secure base images with minimal or even no vulnerabilities. Let’s get started!
When you’re building and deploying applications with Docker, security should always be at the top of your mind. Vulnerabilities in base images can open doors for attackers, leading to everything from data leaks to full-blown breaches. That’s why having a solid vulnerability detection process is critical. Harness Open Source provides a way to identify and fix these vulnerabilities before they become a problem, helping us maintain a secure development pipeline.
On top of that, the choice of base images really matters. Chainguard images are designed to be minimal and secure, making them a great choice for developers looking to reduce their risk. By using Chainguard images, you can build your applications on a foundation that prioritizes security, helping you focus on what you do best—building awesome software.
To kick things off, you’ll want to get Harness Open Source up and running. A great starting point is the quick start guide, which will help you set up your environment in no time. Once you’re up and running, you’ll need to import a repository that contains a Dockerfile. Check out the import repository documentation for detailed steps. Just make sure your repository has a Dockerfile located at the root.
Now, let’s dive into the pipeline that will help us identify vulnerabilities in our Dockerfile’s base images. This pipeline does a couple of critical things:
To set this up, you’ll first need to create a unique webhook URL to receive notifications. A simple way to do this is by visiting webhook.site and copying the generated URL. Once you have that, make sure to add it as a secret in your Harness project under the name webhook_url.
version: 1
kind: pipeline
spec:
stages:
- name: dockerfile-vuln-check
type: ci
spec:
steps:
- name: dockerfile-vuln-scan
type: run
spec:
container: alpine
script: |
apk add --no-cache curl
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /tmp/grype-bin
# Extract all base images from the Dockerfile
BASE_IMAGES=$(grep '^FROM' Dockerfile | awk '{print $2}')
# Check if any base images were found
if [ -z "$BASE_IMAGES" ]; then
echo "No base images found in Dockerfile."
exit 1
fi
# Loop through and scan each base image
echo "Running vulnerability scan on base images..."
for IMAGE in $BASE_IMAGES; do
echo "$IMAGE"
/tmp/grype-bin/grype $IMAGE --fail-on critical
done
echo "Base image vulnerability scan is completed!"
- name: notify
type: plugin
when: failure()
spec:
name: webhook
inputs:
content_type: application/json
urls: ${{ secrets.get("webhook_url") }}
template: |
Name: ⚠ Dockerfile Vulnerability Alert ⚠
Repo Name: {{ repo.name }}
Build Number {{ build.number }}
Build Event: {{ build.event }}
Build Link: {{build.link}}
Now, it’s time to take action! Consider swapping out your vulnerable base images with compatible ones from Chainguard, which are designed with security in mind. You can browse available images at the Chainguard image registry. A sample pipeline execution is shown below, where the notify step didn’t run because the previous step didn’t fail due to the use of Chainguard images.
To ensure continuous monitoring of vulnerabilities in your Dockerfile base images, you can set up a cron job to run your pipeline at regular intervals. This automation can help you stay proactive about security without manual intervention. Here’s how to set it up on your operating system:
Edit your crontab file. Enter the following command to open your crontab for editing:
crontab -e
2. Add a cron job. You can check out the Swagger API to find the command for pipeline execution. To set up your pipeline to run every day at a specific time (for example, 2 AM), add the following line to your crontab:
0 2 * * * curl -X 'POST' 'http://localhost:3000/api/v1/repos/YOUR_PROJECT_NAME%2FYOUR_REPO_NAME/pipelines/YOUR_PIPELINE_NAME/executions?branch=BRANCH_NAME' -H 'accept: application/json' -H "Authorization: Bearer YOUR_TOKEN"
3. Explanation of the cron syntax: 0 2 * * * indicates the job will run at 2:00 AM every day.
4. Replace YOUR_PROJECT_NAME, YOUR_REPO_NAME, YOUR_PIPELINE_NAME, BRANCH_NAME, and YOUR_TOKEN with your actual project details and authorization token.
5. Save and exit. After adding the cron job, save your changes and exit the editor. The new cron job will now be scheduled to run at the specified time.
Make sure you set up this cron job on the same machine where your Harness Open Source instance is running. By doing so, you ensure that your pipeline runs automatically, continuously scanning for vulnerabilities and sending alerts as needed. This practice helps maintain a secure development environment with minimal effort on your part.
Harness Open Source can scan for secrets with Gitleaks, scan container images for vulnerabilities with Grype, and provide a more secure build with Chainguard images. Be sure to check out the documentation and our YouTube videos for more insights on enhancing your development practices!