Docker Images Vulnerability Scanning on a Massive Scale

Docker Images Vulnerability Scanning on a Massive Scale

Working with several customers who are "heavy" adopters of Docker containers, we've seen environments where thousands of Docker images are built on almost a daily basis. Organizations that fully commit to continuous integration often commit developer code into the image build process, which results in images being updated constantly. If those images are to be deployed, they must also be scanned for vulnerabilities. But how do you scan thousands of images in a short time, again and again?

The video below shows how we scan 1,000 images for vulnerabilities, in 12:30 minutes.

We run many scanners in parallel, and queue the images for scanning across this collection. The scanners are spun up automatically and then spun down when the scan is finished, all orchestrated using Kubernetes.

Some of you may want to know the details:
We ran this on Google Cloud, launching 200 Kubernetes nodes, with 2 Aqua scanners running as containers on each node. The machine type used in this demo was n1-standard-1 (1 vCPU, 3.75GB memory).

The beauty of this system is that it scales up and down as needed, and you can limit the number of nodes you run simultaneously to optimize time vs. cost, while meeting the requirements for scanning in peak times. 

If you have a large development pipeline and use CI/CD to build images, this is a challenge you will run into. Of course vulnerability scanning is only the first step - as Tsvi explained in a previous blog, the key is to automate security into the process so that every new image triggers a scan, and the results are fed back into the CI/CD build process. And Shahar previously demonstrated how we do this with our Jenkins plug-in.

Rani Osnat

Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.