1
00:00:02,060 --> 00:00:03,060
‫All right.

2
00:00:03,830 --> 00:00:06,490
‫The next up, code repo scanning.

3
00:00:07,470 --> 00:00:10,263
‫This is not even Docker specific, but there are tools out

4
00:00:10,640 --> 00:00:13,679
‫there and Sneak is

5
00:00:13,680 --> 00:00:15,310
‫one of them. Sneak, will scan your

6
00:00:17,060 --> 00:00:19,040
‫code dependencies inside of repos.

7
00:00:19,280 --> 00:00:21,560
‫If you have open source, if you're developing an open

8
00:00:21,561 --> 00:00:23,590
‫source, they will do a lot of this stuff for free.

9
00:00:24,000 --> 00:00:26,440
‫They will scan your GitHub repo, your Bitbucket

10
00:00:27,350 --> 00:00:28,841
‫repo and look at the dependencies.

11
00:00:29,840 --> 00:00:32,269
‫I get reports every week from them on my open source repos

12
00:00:32,270 --> 00:00:33,700
‫and any vulnerabilities they found.

13
00:00:34,270 --> 00:00:37,549
‫Nowadays, GitHub does a lot of this themselves

14
00:00:37,550 --> 00:00:38,873
‫for free as well. Sneak has

15
00:00:40,640 --> 00:00:43,071
‫been around longer and been doing it longer, so I kind of

16
00:00:43,072 --> 00:00:45,669
‫have both. I have GitHub sending me emails and I have

17
00:00:45,770 --> 00:00:48,160
‫Sneak. You can pay Sneak to scan stuff.

18
00:00:49,300 --> 00:00:52,191
‫They also have more features now where they're doing images

19
00:00:52,310 --> 00:00:54,040
‫as well and other things, not just code repos.

20
00:00:54,840 --> 00:00:57,799
‫But, that's one line is scan your

21
00:00:57,800 --> 00:00:59,441
‫repos early on in the process.

22
00:00:59,840 --> 00:01:02,540
‫Don't wait for you to build images and then have things in

23
00:01:02,580 --> 00:01:05,839
‫CI, you know, in testing where you're

24
00:01:05,840 --> 00:01:07,513
‫scanning. Scan as early as possible.

25
00:01:08,840 --> 00:01:11,339
‫This is kind of one of the core tenets of something

26
00:01:11,781 --> 00:01:13,053
‫called ShiftLeft security.

27
00:01:13,054 --> 00:01:16,549
‫If you imagine a Kanban Board where all

28
00:01:16,550 --> 00:01:18,562
‫your work is on the left and your output is on the right,

29
00:01:18,570 --> 00:01:21,461
‫the ShiftLeft security movement, if you just kind of search

30
00:01:21,590 --> 00:01:24,162
‫around for ShiftLeft security, is all about shifting

31
00:01:26,390 --> 00:01:28,130
‫the responsibility of security earlier and earlier in your

32
00:01:28,131 --> 00:01:29,131
‫development workflow.

33
00:01:29,490 --> 00:01:33,259
‫So, one way to do that is to have these automated scanners

34
00:01:33,260 --> 00:01:36,349
‫scanning your code dependencies inside your git repos

35
00:01:36,360 --> 00:01:39,006
‫before you ever even get to the stage of running stuff

36
00:01:39,590 --> 00:01:41,411
‫on servers, right. I would do that.

37
00:01:41,850 --> 00:01:43,873
‫Not specifically a Docker thing, but I would do that.

38
00:01:44,660 --> 00:01:46,890
‫The next step is image scanning itself, which

39
00:01:48,500 --> 00:01:50,840
‫is very similar to that. But, we get more features here.

40
00:01:51,320 --> 00:01:53,810
‫We aren't just scanning your code dependencies.

41
00:01:54,080 --> 00:01:56,870
‫We can scan the container itself.

42
00:01:57,080 --> 00:01:59,959
‫The image, right. We can scan all the dependencies there

43
00:02:00,290 --> 00:02:02,989
‫that are not just like your npm packages

44
00:02:03,530 --> 00:02:06,499
‫or your, you know, Python

45
00:02:06,500 --> 00:02:09,649
‫packages. You're now scanning YUM packages,

46
00:02:09,650 --> 00:02:12,330
‫and APK, or apt,

47
00:02:13,670 --> 00:02:15,860
‫or these kind of package managers for the OS.

48
00:02:16,430 --> 00:02:19,460
‫That's what I mean by an image scanner, because it can scan

49
00:02:19,520 --> 00:02:22,369
‫those as well as your code dependencies.

50
00:02:22,970 --> 00:02:25,099
‫So, there's a lot of tools here.

51
00:02:25,340 --> 00:02:28,129
‫A very popular set of them have been around a while, but a

52
00:02:28,130 --> 00:02:30,439
‫couple of new ones have shown up that I want to talk to you

53
00:02:30,440 --> 00:02:31,440
‫about.

54
00:02:32,500 --> 00:02:35,770
‫The first one here is Trivy, and I just learned about this

55
00:02:36,310 --> 00:02:37,846
‫this month,actually in October.

56
00:02:38,560 --> 00:02:41,439
‫Trivy is built by Aqua Security, who is the same company

57
00:02:41,440 --> 00:02:42,440
‫who builds MicroScanner.

58
00:02:43,900 --> 00:02:46,399
‫MicroScanner was one of the tools, along with a lot

59
00:02:46,900 --> 00:02:49,930
‫of other ones, Anchor as well, another popular one.

60
00:02:50,500 --> 00:02:53,214
‫These are all open source tools that scan your image for

61
00:02:55,320 --> 00:02:56,661
‫CVE vulnerabilities.

62
00:02:57,240 --> 00:03:00,080
‫The CVE is that database of all the open source donor

63
00:03:00,210 --> 00:03:02,819
‫vulnerabilities that we all hear about in the news.

64
00:03:03,240 --> 00:03:06,599
‫It's from Mitre, a company that manages that database.

65
00:03:06,630 --> 00:03:09,294
‫This is a community thing, right.

66
00:03:09,750 --> 00:03:12,641
‫Anytime someone finds a vulnerability in software, they put

67
00:03:12,780 --> 00:03:14,299
‫it in and it gets a CVE number.

68
00:03:14,555 --> 00:03:17,880
‫It's common vulnerability

69
00:03:17,940 --> 00:03:19,440
‫and exploits, something like that.

70
00:03:19,510 --> 00:03:21,720
‫I can't remember exactly what CVE stands for.

71
00:03:22,200 --> 00:03:23,940
‫I'm sure one of you will tell me in chat.

72
00:03:24,660 --> 00:03:26,664
‫But CVE gets a number, right.

73
00:03:26,880 --> 00:03:29,281
‫We see a number assigned to that known bug in the

74
00:03:29,760 --> 00:03:33,330
‫community. A CVE scanner will scan your images

75
00:03:33,810 --> 00:03:34,830
‫for that vulnerability.

76
00:03:35,520 --> 00:03:38,249
‫Once you get into the implementation of these, there's all

77
00:03:38,250 --> 00:03:41,400
‫sorts of minutia, like does the scanner you have

78
00:03:41,730 --> 00:03:44,520
‫need to run in the Docker image during build time?

79
00:03:44,610 --> 00:03:47,009
‫Or does it scan an image that's already built?

80
00:03:47,760 --> 00:03:49,240
‫Does that scanner support

81
00:03:50,970 --> 00:03:53,224
‫your base distribution? Does it support Red Hat?

82
00:03:53,490 --> 00:03:55,289
‫Does it support Alpine?

83
00:03:55,620 --> 00:03:58,590
‫Any sort of other distribution images that you've

84
00:03:58,670 --> 00:04:00,780
‫chosen to use, will it support those?

85
00:04:01,080 --> 00:04:04,349
‫Does it also support your package manager for your app

86
00:04:04,680 --> 00:04:05,680
‫like npm or pip, or

87
00:04:07,710 --> 00:04:10,348
‫one of the other dozens of package managers out there,

88
00:04:10,349 --> 00:04:12,990
‫right. Does it does it support those as well?

89
00:04:13,350 --> 00:04:14,428
‫MicroScanner didn't do

90
00:04:16,470 --> 00:04:18,824
‫all of that. It did some of it, but like a lot of these

91
00:04:18,825 --> 00:04:21,690
‫other tools in the ecosystem, they didn't do it all.

92
00:04:22,079 --> 00:04:25,560
‫Right now, this one from

93
00:04:25,920 --> 00:04:26,920
‫Aqua Security

94
00:04:28,610 --> 00:04:30,620
‫called Trivy, get all the way to the top of this thing.

95
00:04:32,190 --> 00:04:33,856
‫Trivy is claiming they're the most

96
00:04:35,420 --> 00:04:37,880
‫complete open source free scanner out there.

97
00:04:38,270 --> 00:04:40,459
‫Down here, you'll see what they support.

98
00:04:41,800 --> 00:04:44,910
‫You'll notice that they support all these based images.

99
00:04:45,510 --> 00:04:47,943
‫Then if you actually go down, there's

100
00:04:49,790 --> 00:04:52,044
‫a comparison showing them comparing to all the

101
00:04:52,760 --> 00:04:54,979
‫other tools, or least the popular open source versions of

102
00:04:54,980 --> 00:04:56,834
‫these tools. There's definitely more tools than this.

103
00:04:58,820 --> 00:05:00,170
‫There's lots of choices you have to make here.

104
00:05:00,380 --> 00:05:02,389
‫One choice is where do I want to scan?

105
00:05:02,630 --> 00:05:05,539
‫Do I want my image repository to scan them itself, like

106
00:05:06,200 --> 00:05:07,523
‫Docker Enterprise DTR does?

107
00:05:07,851 --> 00:05:10,790
‫Where you have a registry holding your images

108
00:05:11,060 --> 00:05:14,029
‫and that registry runs scans on the images in

109
00:05:14,030 --> 00:05:15,980
‫the registry itself all in one go.

110
00:05:16,560 --> 00:05:19,157
‫Quay does this as well. Quay is a cloud hosting image

111
00:05:19,670 --> 00:05:22,700
‫repository and it will also scan, right.

112
00:05:23,030 --> 00:05:26,149
‫Each one of these scanners doesn't always scan all

113
00:05:26,150 --> 00:05:27,640
‫image types and all app dependencies.

114
00:05:27,641 --> 00:05:30,372
‫So, it's pretty cool here that they show...basically

115
00:05:31,370 --> 00:05:32,959
‫the X means they don't do it.

116
00:05:34,030 --> 00:05:37,119
‫The 0 or the O there, the circle, means they do do

117
00:05:37,120 --> 00:05:39,000
‫it. Then, I think the

118
00:05:40,720 --> 00:05:42,970
‫double OO here means the best,

119
00:05:44,080 --> 00:05:47,049
‫and the triangle means there's issues,

120
00:05:47,080 --> 00:05:48,610
‫there's concerns there.

121
00:05:49,000 --> 00:05:52,060
‫So, they're kind of claiming that Trivy, which they bought

122
00:05:52,300 --> 00:05:53,362
‫this year, I believe. Trivy does

123
00:05:55,800 --> 00:05:58,829
‫it all. It does OS packages, application dependencies.

124
00:05:59,250 --> 00:06:00,510
‫They claim it's easy to use.

125
00:06:01,500 --> 00:06:03,569
‫They claim it's more accurate. If you start reading into

126
00:06:03,570 --> 00:06:06,029
‫this, you realize that one of the big issues that I keep

127
00:06:06,030 --> 00:06:08,804
‫talking about is that Alpine's base image doesn't

128
00:06:10,580 --> 00:06:11,930
‫work with almost all these scanners.

129
00:06:11,960 --> 00:06:15,199
‫It just doesn't have the vulnerability database connected

130
00:06:15,200 --> 00:06:17,846
‫to it properly so that when you run these scanners, it

131
00:06:18,020 --> 00:06:20,029
‫detects vulnerabilities in Alpine.

132
00:06:21,710 --> 00:06:23,572
‫Trivy claims that they fixed that by a

133
00:06:24,680 --> 00:06:27,326
‫new method that they're implementing, and we'll see if

134
00:06:27,350 --> 00:06:28,699
‫other people implement that as well.

135
00:06:28,730 --> 00:06:30,109
‫They claim to be the most complete.

136
00:06:30,650 --> 00:06:32,929
‫A lot of my Docker Captain friends are all saying they're

137
00:06:32,930 --> 00:06:33,930
‫using it and using it great.

138
00:06:35,000 --> 00:06:38,059
‫One of the other decisions, besides which scanner, is

139
00:06:38,060 --> 00:06:39,060
‫where will you scan?

140
00:06:39,470 --> 00:06:41,839
‫I like to scan during image build.

141
00:06:42,260 --> 00:06:44,171
‫I'd rather scan during the CI automated

142
00:06:45,230 --> 00:06:48,379
‫image build than scan it later after the image is built.

143
00:06:48,890 --> 00:06:49,890
‫That's just me.

144
00:06:50,690 --> 00:06:53,140
‫You might even have different systems that scan at

145
00:06:53,240 --> 00:06:55,520
‫different times, just to be safe, right, just to be

146
00:06:55,700 --> 00:06:58,940
‫certain. You might have systems that scan on the servers

147
00:06:59,390 --> 00:07:01,546
‫that are running in production, depending on

148
00:07:02,420 --> 00:07:03,980
‫your environment. That's not very common.

149
00:07:04,010 --> 00:07:06,199
‫But, if you're in a super secure environment that you want

150
00:07:06,200 --> 00:07:09,091
‫to scan things running live, you can certainly do that with

151
00:07:09,230 --> 00:07:10,230
‫some of these tools.

152
00:07:10,490 --> 00:07:13,279
‫A demo that I often give is about

153
00:07:13,520 --> 00:07:15,830
‫MicroScanner. Essentially, all you have to do in

154
00:07:16,100 --> 00:07:18,950
‫MicroScanner, as well as this other tool,

155
00:07:19,340 --> 00:07:22,491
‫is in MicroScanner, you can add it into your Dockerfile.

156
00:07:24,110 --> 00:07:27,350
‫I believe the Tivey app, you scan

157
00:07:27,470 --> 00:07:28,639
‫after the image is built.

158
00:07:29,300 --> 00:07:31,456
‫If you're super paranoid, you might just use

159
00:07:32,520 --> 00:07:34,609
‫a MicroScanner inside your Docker image.

160
00:07:35,240 --> 00:07:38,089
‫Then you might run something like Tivey after the fact

161
00:07:38,540 --> 00:07:40,652
‫on the images before they're sent up to the registry, you

162
00:07:41,700 --> 00:07:44,269
‫know. You can always download them later, but I like to

163
00:07:44,270 --> 00:07:46,573
‫know that my image is vulnerability free before

164
00:07:47,360 --> 00:07:48,360
‫I send it up.

165
00:07:49,530 --> 00:07:50,610
‫So, that's what you might do there. Now.

166
00:07:51,570 --> 00:07:53,279
‫I want to just tell you a warning.

167
00:07:53,760 --> 00:07:55,798
‫You're probably not going to have any...you're

168
00:07:56,880 --> 00:07:59,549
‫probably not going to have any images, or maybe just a few

169
00:07:59,550 --> 00:08:01,755
‫images, that have zero vulnerabilities across

170
00:08:02,610 --> 00:08:04,717
‫the board. That's just due to the nature of

171
00:08:05,880 --> 00:08:08,590
‫open source. Typically, if you scan any image,

172
00:08:10,620 --> 00:08:12,720
‫typically, if you scan any image out there,

173
00:08:14,010 --> 00:08:15,010
‫it's going to have vulnerabilities.

174
00:08:15,540 --> 00:08:18,629
‫It's your job to work with your security team on

175
00:08:18,630 --> 00:08:22,199
‫what's acceptable, not we can never have vulnerabilities.

176
00:08:22,470 --> 00:08:25,350
‫Because certain vulnerabilities may not even apply to you.

177
00:08:25,440 --> 00:08:27,988
‫Just because they're in your image doesn't mean that

178
00:08:28,050 --> 00:08:29,478
‫they're automatically going to be a problem, right.

179
00:08:30,840 --> 00:08:32,359
‫You're going to have to do some

180
00:08:33,809 --> 00:08:36,779
‫work. I think what I would suggest is implementing these

181
00:08:36,780 --> 00:08:38,201
‫now, but turning off the sort

182
00:08:39,960 --> 00:08:42,116
‫of failure of it and say continue on failure

183
00:08:43,200 --> 00:08:45,989
‫here, which means all I'm going to do is warn you that

184
00:08:45,990 --> 00:08:48,929
‫there's vulnerabilities. I'm not going to stop the build

185
00:08:49,140 --> 00:08:50,429
‫just because there's a vulnerability.

186
00:08:50,940 --> 00:08:52,949
‫This is key, because if you start implementing all these

187
00:08:52,950 --> 00:08:55,302
‫tools automatically, they will fail the process.

188
00:08:55,740 --> 00:08:57,768
‫They'll fail your CI, or they'll fail your builds, if

189
00:08:59,220 --> 00:09:01,229
‫you just turn them on. You want to make sure that you have

190
00:09:01,230 --> 00:09:04,679
‫them in sort of audit only mode where they don't fail

191
00:09:04,710 --> 00:09:06,299
‫on finding a vulnerability.

192
00:09:06,330 --> 00:09:08,999
‫That way you can at least learn what the vulnerabilities

193
00:09:09,000 --> 00:09:11,549
‫are before you start, you know, before you go hardcore,

194
00:09:11,760 --> 00:09:13,350
‫right? Before you go hardcore.