Working with several customers who are "heavy" adopters of Docker containers, we've seen environments where thousands of Docker images are built on almost a daily basis. Organizations that fully commit to continuous integration often commit developer code into the image build process, which results in images being updated constantly. If those images are to be deployed, they must also be scanned for vulnerabilities. But how do you scan thousands of images in a short time, again and again?
The video below shows how we scan 1,000 images for vulnerabilities, in 12:30 minutes.
We run many scanners in parallel, and queue the images for scanning across this collection. The scanners are spun up automatically and then spun down when the scan is finished, all orchestrated using Kubernetes.
Some of you may want to know the details:
We ran this on Google Cloud, launching 200 Kubernetes nodes, with 2 Aqua scanners running as containers on each node. The machine type used in this demo was n1-standard-1 (1 vCPU, 3.75GB memory).
The beauty of this system is that it scales up and down as needed, and you can limit the number of nodes you run simultaneously to optimize time vs. cost, while meeting the requirements for scanning in peak times.
If you have a large development pipeline and use CI/CD to build images, this is a challenge you will run into. Of course vulnerability scanning is only the first step - as Tsvi explained in a previous blog, the key is to automate security into the process so that every new image triggers a scan, and the results are fed back into the CI/CD build process. And Shahar previously demonstrated how we do this with our Jenkins plug-in.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.