Aqua’s New MicroScanner: Free Image Vulnerability Scanner for Developers

Aqua’s new MicroScanner_ Free Image Vulnerability Scanner for Developers

At Aqua we’ve been working on a new, free-to-use tool for scanning your container images for package vulnerabilities. MicroScanner uses the same vulnerability database as Aqua’s best-in-class commercial scanner, so you’re getting top-notch results.

The main difference between MicroScanner and our commercial offering is that it runs during the build steps specified within your Dockerfile, like so:

ADD https://get.aquasec.com/microscanner /

RUN chmod +x microscanner

RUN microscanner <TOKEN>

These three commands download the MicroScanner binary, give it permission to be executed, and run it over the contents of the container image file system at that stage. (You’ll need a token which you get by registering.)

If MicroScanner finds a high-severity vulnerability, it returns a non-zero exit code (as well as reporting the details in JSON format), and that in turn fails the image build. There’s a --continue-on-failure flag in case you want to press on regardless of vulnerabilities.

The Aqua Scanning Advantage

A container image scanner looks at the software packages included in the image file system, and checks it against a (very long) list of packages with known vulnerabilities - typically the NVD. There are several free and paid options for vulnerability scanning in container images, so you might rightly ask what’s so special about Aqua’s offering.

The main concern is false positives. There are differences in the way different Linux distributions manage software packages, and how they choose to back-apply security fixes, which the NVD doesn’t keep track of. A given distribution might use version X.Y of a package from a third-party developer, which the NVD says has a vulnerability, but because the distro also applied a patch to that version (so they are actually using X.Y+patch), the vulnerability is not actually present. Come along to my talk at Velocity in San Jose to hear more details about this problem, including examples.

Get Aqua MicroScanner

If your image scanner doesn’t know about these patches, it might report vulnerabilities that aren’t present, leading you to either (a) panic (b) get so fatigued by high-severity reports that you stop checking them, and miss the occasion when a real issue occurs.

Aqua’s scanner - which is the same whether you’re using MicroScanner or our full Container Security Platform - looks at many sources, such as the distributions’ own security advisories, and information from software developers themselves, to keep track of these differences, and our Research Team does a tremendous job of manual checks to further eliminate false positives. And false negatives - a less common, but important, occurrence.

With MicroScanner, you get free access to this combination of data sources and expertise.

Show Me the Output

Here’s an example Dockerfile for scanning mongo:3.2.1, which is an old version that conveniently includes lots of high-severity issues that we can use for illustration purposes:

$ cat examples/Dockerfile.fail2

FROM mongo:3.2.1

ADD https://get.aquasec.com/microscanner /

RUN chmod +x /microscanner

ARG token

RUN /microscanner ${token}

Building this image fails as follows:

$ docker build --build-arg token=$MICROSCANNER_TOKEN -f

Dockerfile.fail . > mongo.out

The command '/bin/sh -c /microscanner ${token}' returned a non-zero

code: 4

I sent the output to a file, which includes lots of JSON describing the vulnerabilities, for example:

Free Image Vulnerability Scanner for Developers

There is also a summary showing the extent of the problems in this particular image:

Free Image Vulnerability Scanner for Developers

Because the build fail, Docker didn’t generate an image. You could use this as part of a CI/CD process to ensure that images are only created if they won’t contain known high-severity problems.

Get Aqua MicroScanner

How Does MicroScanner Compare with Aqua’s Commercial Version?

The MicroScanner approach requires you to modify your Dockerfiles for every image that you want to scan - which is probably an acceptable limitation for individual contributors but may not be appropriate for enterprise-wide use.

In the Aqua Container Security Platform, scanning is integrated into the central management console, and integrates with private and on-premise registries. Our paying customers get to scan images that are already built, and scanning can be triggered separately from the build step both as part of a CI/CD system and as part of regular scans checking for new vulnerabilities, without rebuilding the images. They can of course also run scans on images built by a third party.

In Aqua CSP there are additional scanning capabilities available beyond scanning installed packages - for example, it can report on sensitive information like passwords or keys, or known malware included in the image.

Finally, image scanning is just small one part of the Aqua CSP - it also provides runtime security, image policy assurance, container firewalling, compliance tools and more.

How Do I Try MicroScanner?

All the information you need is on GitHub, where we also welcome feedback and reports of any issues.

Image scanning, Vulnerability Scanner

Related Posts

Subscribe to Email Updates

Filter by Topic

Show more...