Working with several customers who are "heavy" adopters of Docker containers, we've seen environments where thousands of images are built on almost a daily basis. Organizations that fully commit to continuous integration often commit developer code into the image build process, which results in images being updated constantly. If those images are to be deployed, they must also be scanned for vulnerabilities. But how do you scan thousands of images in a short time, again and again?
The video below shows how we scan 1,000 images in 12:30 minutes.
We run many scanners in parallel, and queue the images for scanning across this collection. The scanners are spun up automatically and then spun down when the scan is finished, all orchestrated using Kubernetes.
Some of you may want to know the details: We ran this on Google Cloud, launching 200 Kubernetes nodes, with 2 Aqua scanners running as containers on each node. The machine type used in this demo was n1-standard-1 (1 vCPU, 3.75GB memory).
The beauty of this system is that it scales up and down as needed, and you can limit the number of nodes you run simultaneously to optimize time vs. cost, while meeting the requirements for scanning in peak times.
If you have a large development pipeline and use CI/CD to build images, this is a challenge you will run into. Of course scanning is only the first step - as Tsvi explained in a previous blog, the key is to automate security into the process so that every new image triggers a scan, and the results are fed back into the CI/CD build process. And Shahar previously demonstrated how we do this with our Jenkins plug-in.
Aqua enables enterprises to secure their virtual container environments from development to production, accelerating container adoption and bridging the gap between DevOps and IT security.
Aqua's Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.