Working with several customers who are "heavy" adopters of Docker containers, we've seen environments where thousands of Docker images are built on almost a daily basis. Organizations that fully commit to continuous integration often commit developer code into the image build process, which results in images being updated constantly. If those images are to be deployed, they must also be scanned for vulnerabilities. But how do you scan thousands of images in a short time, again and again?
The video below shows how we scan 1,000 images for vulnerabilities, in 12:30 minutes.
We run many scanners in parallel, and queue the images for scanning across this collection. The scanners are spun up automatically and then spun down when the scan is finished, all orchestrated using Kubernetes.
Some of you may want to know the details:
We ran this on Google Cloud, launching 200 Kubernetes nodes, with 2 Aqua scanners running as containers on each node. The machine type used in this demo was n1-standard-1 (1 vCPU, 3.75GB memory).
The beauty of this system is that it scales up and down as needed, and you can limit the number of nodes you run simultaneously to optimize time vs. cost, while meeting the requirements for scanning in peak times.
If you have a large development pipeline and use CI/CD to build images, this is a challenge you will run into. Of course vulnerability scanning is only the first step - as Tsvi explained in a previous blog, the key is to automate security into the process so that every new image triggers a scan, and the results are fed back into the CI/CD build process. And Shahar previously demonstrated how we do this with our Jenkins plug-in.