Skip to main content

Container Security

Caution

This page describes changes that are being rolled out in waves. Contact your support agent to determine whether this functionality is available in your environment.

All changes described in this document relate only to Checkmarx One accounts. For SCA standalone users, container scan functionality will remain unchanged, see Container Scans.

Decoupling Container Security from SCA

For Checkmarx One users, the container scanning engine now functions independently from SCA. This affects how scan are triggered as well as how the results are shown. The new Container Security scanner is easier to use and provides improved functionality. A table showing the workflow changes can be viewed here.

Key Improvements

  • Simplified workflow - Scanning of built images is now done in the cloud, with no need to install additional tools.

  • Results viewer - Improved results viewer in the web application enables easy navigation to view package and vulnerability info for specific base images and layers.

  • Triage vulnerabilities - Change State, Severity level and risk score of vulnerabilities and add comments.

  • Remediation recommendations - Shows alternative versions of base images with fewer vulnerabilities.

  • In addition to vulnerable packages, this scanner also identifies malicious packages.

  • User permissions - Full support for granular user permissions.

  • Runtime usage - Prioritize remediation efforts based on runtime usage data, obtained via integration with Sysdig.

  • Scan Risk Report - Scan risk reports now contain a dedicated section for containers. This includes customized container data such as breakdown of images and layers in each scanned file.

  • Policy Management - You can now create customized policies for Container Security results based on a series of conditions and condition groups. These policies make it easy to identify projects that don't comply with your organization's security standards

  • Custom Filters - Container Security has a specialized set of filter settings that enable users to configure their scans for precision and relevance. Filters can be applied to files, folders, packages and images. You can also limit the scan to include only final deployable images.

Container Security Overview

The Container Security scanner scans the Dockerfiles in your project to identify the container images used in your project and the risks associate with those images. Checkmarx extracts all layers of each public base image located in the Dockerfile, and identifies the packages used by each layer. In addition to scanning the Dockerfile itself, we also scan the image that is created from the Dockerfile, using the Syft open source tool. This enables greater visibility into all packages used in the image for all languages supported by Checkmarx SCA as well as many non-supported languages (e.g., Dart, Haskell, Swift etc.).

In addition, you can use the Checkmarx One CLI tool to submit specific images from public or private registries for analysis.

What We Scan

Images in Files

  • Dockerfile base images

  • Helm charts and yaml/yml files

  • Docker-compose file images

Private Images

  • Scan images directly from private registries (using Checkmarx One CLI)

Runtime Images (Containers)

  • Integration with Sysdig for runtime analysis

Running Container Security Scans

A container scan can be triggered by selecting the Container Security scanner when initiating a scan via the web application, CLI or API. This will scan the Dockerfile in your project. When you run a scan via the CLI, there is an additional option to specify a specific image to be scanned from a public or private repository.

Running Scans via the Web Application

Follow the normal procedure for running a scan, making sure that the Container Security scanner is selected.

Image_867.png

Running Container Security Scans via the CLI

When running scans via the CLI you can choose to scan the project files in order to analyze the Dockerfile in your project or you can submit specific images for scanning.

Authentication for Scanning Private Repos

In order to access private repos you need to be authenticated in your container repo at the time that you run the scan via Checkmarx One CLI.

Notice

In addition, even when using public repos in DockerHub there is an advantage to authenticating your user in order to avoid the limits that apply to anonymous requests to public repos.

Authentication can be done via Docker or Podman.

Before running the scan, it is recommended to verify that you are able to access the image on your local machine.

For details about authentication for specific registries, see Additional Info About Specific Registries.

Scan Procedure

  1. Run the scan create command with all required parameters, and specify container-security in the --scan-types.

    ./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name> --scan-types container-security

  2. If you would like to apply filters, you can configure the specialized Container Security filters as described in Filters for Container Security Scanner.

  3. If you want to scan only specific images (not an entire project), do the following:

    Notice

    In the context of scanning a specific image, the -s parameter isn't actually relevant. However, it is a required parameter, requiring the following workaround.

    Similarly, when scanning an image, the --branch parameter doesn't represent an actual repo branch, rather you should assign a name that represents this scan in the system.

    1. Create a "dummy" folder (for use in the -s parameter) and give it a name that indicates that it is used for scanning images, e.g., scan_ecr_image.

    2. In the CLI scan command, for the -s parameter give the path to the "dummy" folder that you created, e.g., /Users/DemoUser/scan_ecr_image.

  4. Add the --container-images flag followed by a comma separated list of images. Specify each image using the following syntax {image_name}:{image_tag}.

    ./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name> --scan-types container-security --container-images “mycompany/myimage:myimagetag”

    Notice

    For the syntax for images in specific registries, see Additional Info About Specific Registries.

Running Scans via API

You can run a Container Security scan using POST /scans. In the config section specify the type as containers.

Warning

When running the Container Security scanner together with SCA, it is recommended to include the SCA config enableContainersScan and set it as false.

Sample request body:

{
    "type": "git",
    "handler": {
        "repoUrl": "https://github.com/myOrg/demorepo",
        "branch": "demoBranch"
    },
    "project": {
        "id": "71eacb3b-ae1d-4961-a96f-2b8593ff3dc7",
        "tags": {}
    },
    "config": [
     {
      "type": "sca",
      "value": {
        "enableContainersScan": "false"
      }
    },
     {
            "type": "containers",
            "value": {}
        }
    ],
    "tags": {}
}

Applying Filters

Checkmarx One offers robust filter settings to enhance container security by enabling users to configure their scans for precision and relevance. Below is an overview of the four available filter settings, designed to reduce noise and focus on critical vulnerabilities in your scans.

These filters can be applied either on the account level or for specific projects.

Notice

These filters can also be added in the scan create command in the CLI, see Filters for Container Security Scanner.

To apply filters on the account level, go to Global Settings > Container Security section.

Image_1538.png

To apply filters to a specific project, go to the project page > Settings tab and add a Rule for Container Security, specifying the filter details.

The following table provides an overview of the functionality of each filter. Additional details about the usage and syntax for these filters is available in Filter Usage Details.

Filter name

Description

Syntax

Examples

Package Regex Filter

Prevent sensitive packages from being sent to the cloud for analysis. Exclude packages by package name or file path using regex.

Tip

Excluded packages will nonetheless appear in the scan results. However, no vulnerabilities will be identified in those packages since their info wasn't sent to the cloud for analysis.

Regex

^internal-.* - filters out any package names starting with "internal-"

Folder/file filter

Specify files and folders to be included (allow list) or excluded from (block list) scans. You can create complex filters that combine include and exclude patterns.

*.abc - include specific file types

!*.abc - exclude specific file types

!/folder-name/ - exclude a specific folder

Tip

You can submit multiple items separated by a comma.

!Dockerfile* - exclude all Dockerfiles in the root folder

*.yaml,*.yml - include all yaml and yml files

Image/tag filter

Include or exclude images by image name and/or tag.

image-name:image-tag - include by image name and tag

image-name - include by image name

!:image-tag - exclude by image tag

Tip

You can use wildcard (*) at the beginning, end or both.

!*test-image* - to exclude all images that contain "test-image" in their name

!:*latest - to exclude all image tags that end with "latest"

Exclude non-final stages filter

Exclude all images that are not from the final stage of the build process, so that only the final deployable image is scanned.

Tip

Only supported for Dockerfile images.

True - apply filter

False - don't apply filter

Policy Management

In the context of the Checkmarx One Policy Management feature, there are specialized conditions related to the Container Security scanner that can be used to create policy rules. For more info, see Container Security Conditions.

Additional Info About Specific Registries

Scanning Images from AWS ECR

This section provides additional info about how to scan images from an AWS ECR registry.

Authentication for AWS ECR

Before running scans via the CLI, make sure that your AWS IAM user is authenticated, and that the token is in the credentials file (AWS_SESSION _TOKEN) as explained here. And, if you are scanning images in a different region, then make sure that the region is correctly configured in the credentials file (REGION).

Obtaining the Image Name and Tag for an AWS ECR Image

The value submitted for the --images parameter for GCR uses the following syntax {repository_uri}:{image_tag}.

The following procedure describes how to obtain these values via the CLI.

  1. To obtain the repository uri, run the CLI command aws ecr describe-repositories --repository-name {your_repo_name}, and make a note of the value returned for repositoryUri.

    ecr1.png

    Example for repo named "container-comparer"

  2. To obtain the image tags of the images in the repo, run the CLI command aws ecr list-images --repository-name {your_repo_name}, and make a note of the value returned for ImageTag for the desired image.

    MicrosoftTeams-image__32_.png

    Example for repo named "container-comparer"

  3. Run the CLI command with the --images flag specifying the desired images using the syntax {repository_uri}:{image_tag}. For example:

    --images 006765415138.dkr.ecr.us-east-1.amazonaws.com/container-comparer:2021.10.18.1155-8aefe81

Configuring Environment Variables for AWS ECR

The Checkmarx One CLI is configured to scan your AWS ECR repo assuming that the default values/paths are in use. If the “credentials” file is in the default AWS path, and you are using the “default” profile, then no action is needed. If you have changed these settings, then you need to configure the following environment variables.

  • AWS_PROFILE (default value: “default”)

Note

You can configure multiple profiles, e.g., for different environments.

  • AWS_CONFIG_FILE (default path: “~/.aws/config”)

  • AWS_SHARED_CREDENTIALS_FILE (default path: “~/.aws/credentials”)

See AWS SDKs and Tools

Example of Credentials File

File ““~/.aws/credentials”

[default]
aws_access_key_id=ASI
aws_secret_access_key=abcd
region=us-west -1
aws_session_token=Absd
[prod]
aws_access_key_id=AKI
aws_secret_access_key=xyz
region=us-west -1

Scanning Images from GAR

This section provides additional info about how to scan images from a GAR registry.

Authentication for GAR

Before running scans via the CLI, make sure that you are authenticated in GAR. ou can test this by running the docker pull command for the desired image. Learn about possible authentication methods here.

The recommended authentication is using gcloud.

To authenticate using gcloud:

  • If it is the first time that you are pulling images, run the following command on your machine gcloud auth configure-docker us-docker.pkg.dev

    Notice

    This command assumes that you are using the US region of GAR. If you are using a different region, then replace "us" with the name of your region.

Obtaining the Image Name and Tag for a GAR Image

The value submitted for the --images parameter for GAR uses the following syntax {gar_region}-docker.pkg.dev/{project_id}/{image_name}:{image_tag}.

  1. Obtain the values needed to identify this image.

  2. Run the CLI command with the --scan-containers flag, and add the --images flag specifying the desired images using the syntax gcr.io/{project_id}/{image_name}:{image_tag}. For example:

    --images us-docker.pkg.dev/symbolic-eye-1234/quickstart-image:tag1

Scanning Images from GCR

This section provides additional info about how to scan images from a GCR registry.

Authentication for GCR

Before running scans via the CLI, make sure that you are authenticated in GCR. You can test this by running the docker pull command for the desired image. Learn about possible authentication methods here.

The recommended authentication is using gcloud.

To authenticate using gcloud:

  1. Log in to gcloud as the user that will run Docker commands and run the command gcloud auth login.

  2. Configure Docker using the following command gcloud auth configure-docker.

    Your credentials are saved in your user home directory.

    • Linux: $HOME/.docker/config.json

    • Windows: %USERPROFILE%/.docker/config.json

Obtaining the Image Name and Tag for a GCR Image

The value submitted for the --images parameter for GCR uses the following syntax gcr.io/{project_id}/{image_name}:{image_tag}.

  1. Obtain the value needed to identify this image. The following is on possible method for obtaining this info:

    • Open ECR in the Google Cloud portal and navigate to the image and tag of the desired image. Then, in the PULL tab, copy the value given in the Pull by tag snippet (without the "docker pull" command).

      MicrosoftTeams-image__33_.png

  2. Run the CLI command with the --images flag specifying the desired images using the syntax gcr.io/{project_id}/{image_name}:{image_tag}. For example:

    ./ScaResolver -s /Users/DemoUser/scan_gcr_image -n DemoImageScan -a Checkmarx -u jack -p 'demo123!' --scan-containers --images gcr.io/symbolic-eye-1234/quickstart-image:tag1
In this section: