Snyk Blog

Safely handling containers

Written by:
Tales Casagrande
Tales Casagrande
wordpress-sync/feature-safe-containers

June 22, 2022

0 mins read

This post was written by Tales Casagrande, a Snyk Ambassador. Snyk Ambassadors are passionate about sharing their security expertise. Become one today by signing up!

In the shipping industry, the container format follows ISO 668, a standard format that regulates the safe stacking of containers.

Imagine your applications with multiple containers, running different applications, serving different purposes for people all over the world.

Container safety for software

Modern software is not much different from a ship. We “stack” several microservices within projects, there are teams responsible for the development and security of the environment, and if someone makes a critical mistake, everything can be lost. Let’s think about containers from a development and security point of view.

  • Do you trust the image you’re putting into production? Is the origin reliable?

  • Do you conduct security tests to see if there are any security issues?

  • How do you prioritize fixes?

  • Does your base image have just the bare minimum needed to run your application?

  • Does the development team keep up to date on best practices?

  • Does your security team help during development, or just place blame when a vulnerability is detected?

If you can’t answer every question, no problem! Stick around and I’ll give you some tips.

Starting your analysis with Snyk Container

The point here is to break down barriers between security and development teams, helping both with information on how to prioritize vulnerabilities in containers using criteria instead of generating giant reports.

As an example, let’s use the snyk-goof repo, which contains a purposely vulnerable application used for testing (it is not recommended for use in production environments). We’ll analyze this application using Snyk Container, which provides a simple and effective way to automate vulnerability fixes and helps developers focus on problems.

First, create an account (it’s free!).  If you already have one, just log in. Navigate to Projects > Add project.

wordpress-sync/blog-safe-containers-create-account
wordpress-sync/blog-safe-containers-snyk-goof

Be aware that it may take a few minutes for the analysis results to appear under your newly imported project. Snyk has the ability to analyze code, libraries and containers. Today we’ll focus on containers.

wordpress-sync/blog-safe-containers-dockerfile-1

Take a look at the Dockerfile. Would you transport a container with critical infrastructure issues offshore? I don't think so! Let’s ask some questions:

  • Where can we start?

  • What is the priority of each of these problems?

Now, to create your plan, consider the following:

  • Could anyone take advantage of these flaws?

  • Is there already any malicious code (an existing exploit) on the internet that could exploit this flaw?

  • Is anyone on social media talking about the flaw?

  • Is there a fix?

Every vulnerability has a score assigned by the Common Vulnerability Scoring System (CVSS). The basis of this calculation score includes criteria such as attack surface, attack complexity, user interaction, and privileges required.

wordpress-sync/blog-safe-containers-vuln-score

Snyk Container provides lots of helpful information about each vulnerability.

wordpress-sync/blog-safe-containers-python-vuln

In this example, we’re talking about a simple image, but imagine on a large scale. What would it look like? We can create a baseline based on the questions above.

wordpress-sync/blog-safe-containers-recommendations

This image shows Snyk Code’s base image upgrade recommendations. These upgrades reduce risk, enabling us to save the time we might spend looking for another base image (or trying to upgrade).

Running the same analysis with the Snyk CLI

I did my analysis using the graphical user interface. But development teams often live on the command line, or in their IDE, so let’s remove the barrier of another login and do the same analysis using the Snyk CLI.

In the Snyk console, go to Integrations > CLI and follow the steps for your environment. Let’s use the same project: snyk-goof.

wordpress-sync/blog-safe-containers-git-clone

Now let’s build the image.

wordpress-sync/blog-safe-containers-build-image

Now the fun part! Let’s start the analysis using the CLI.

wordpress-sync/blog-safe-containers-analyzing
wordpress-sync/blog-safe-containers-cli-analysis

The test results in the console and the CLI are a little bit different because I tested on different days, but the analysis run using the Snyk CLI still provides the same base image upgrade recommendations.

The advantage of metrics-based analysis

New vulnerabilities emerge all the time. We can’t stop to fix every problem. We need to prioritize, automate and focus our efforts where the impact could be most severe. A metrics-based analysis eliminates the noise between teams and helps you quickly find ways to maneuver your containers safely.

Developer-first container security

Snyk finds and automatically fixes vulnerabilities in container images and Kubernetes workloads.

Book a live demoStart free

Posted in:Container Security
wordpress-sync/feature-safe-containers

Level Up Your CI/CD Pipelines

See how these 8 tips can help you catch security issues in the pipe BEFORE you push to production ⭐️

See the cheatsheet

Become a Snyk Ambassador

The Snyk Ambassador Program is always on the look for new members! Apply now. If you’re selected, you’ll be asked to join Snyk on our mission to help developers all over the world to find and fix security issues in their applications, in an easy and empowering way.

Apply now
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon