Snyk Blog

Announcing the Snyk and Docker Security Guide for Developers

Écrit par:
Jim Armstrong
Jim Armstrong
wordpress-sync/blog-feature-docker-labels

18 novembre 2020

0 minutes de lecture

Now that you might be seeing your first scan results for container vulnerabilities, you have likely discovered a few issues… maybe even more than a few! It can be daunting to get a list of 10s or 100s of vulnerabilities when you scan an image. Fear not! to lay the foundations for handling these issues. And we are pleased to announce the release of the Guide to Container Security for Development Teams.

Snyk Container will help you figure out what is in your container images, how a developer—who may not be an expert in container and operating system security pitfalls—can fix these issues, and where you should focus your efforts amidst the many vulnerabilities you might find.

A practical guide, built for developers

There are many best practices lists for building secure containers, but they usually have a single bullet that says something like “Scan for container vulnerabilities”. The concept is good, but the problem is, what do you do once you know about all those vulnerabilities? In fact, this issue of what to do next isn’t unique to just container vulnerabilities, which is one reason our company is named Snyk: “So Now You Know...”!

wordpress-sync/blog-what-to-do-container-vulnerabilities

So now you know you have container vulnerabilities...what do you do about it?

While we believe our products solve some of the technical hurdles, there is an educational aspect for the people and process side that isn’t so easy to just build into a product, and that’s where this guide comes in. We present you with a starting point for a process for handling container vulnerabilities, no matter which tools you use to build or scan container images.

We provide a general overview of the umbrella topic of container security and then dive deeper into the specific area of container image security. Then we outline a process for addressing vulnerabilities in containers, and also some examples of DevSecOps workflows that other organizations have implemented successfully to collaboratively build secure images. We also get into how you can keep your own code secure in a container, why you should use Docker Official images, and how to choose the best base images, from a security perspective.

Hint: our products will help you quite a bit here!

And fear not! It’s not all just a process manual. There are plenty of examples and code as well.

1$> docker build -t hello-python:slim . -f Dockerfile.slim
2[+] Building 0.4s (8/8) FINISHED
3 => [internal] load build definition from Dockerfile.slim                                                                                                               0.0s
4 => => transferring dockerfile: 78B                                                                                                                                     0.0s
5 => [internal] load .dockerignore                                                                                                                                       0.0s
6 => => transferring context: 2B                                                                                                                                         0.0s
7 => [internal] load metadata for docker.io/library/python:slim                                                                                                          0.3s
8 => [1/3] FROM docker.io/library/python:slim@sha256:9ab472fc54e9ed1064c97ff26baa16f3aad8009c03e9adf63d408f39ad3dc983                                                    0.0s
9 => [internal] load build context                                                                                                                                       0.0s
10 => => transferring context: 66B                                                                                                                                        0.0s
11 => CACHED [2/3] WORKDIR /app                                                                                                                                           0.0s
12 => CACHED [3/3] COPY hello.py /app                                                                                                                                     0.0s
13 => exporting to image                                                                                                                                                  0.0s
14 => => exporting layers                                                                                                                                                 0.0s
15 => => writing image sha256:259d236f493082154e71152881754ea50c5bf7b882413bba2b92c356af6bf83a                                                                            0.0s
16 => => naming to docker.io/library/hello-python:slim                                                                                                                    0.0s
17
18$> docker run --rm -it hello-python:slim
19Hello world!
20
21$> snyk container test hello-python:slim --file=Dockerfile.slim
22
23Testing hello-python:slim...
24...
25Package manager:   deb
26Target file:       Dockerfile.slim
27Project name:      docker-image|hello-python
28Docker image:      hello-python:slim
29Platform:          linux/arm64
30Base image:        python:slim
31Licenses:          enabled
32
33Tested 106 dependencies for known issues, found 48 issues.
34
35According to our scan, you are currently using the most secure version of the selected base image

Let us know what you think

We hope this Guide to Container Security for Development Teams is useful to you as you start to build your container image scanning practices. This guide is meant to show best practices, which we can’t do without continued input from our users!

So, if you have a great practice that you think we should cover, please reach out on the Snyk Community site and let us know.

La sécurité des conteneurs au service des développeurs

Snyk détecte et corrige automatiquement les vulnérabilités des images de conteneurs et des charges de travail Kubernetes.

Réservez une démo en ligneDémarrez gratuitement

Publié dans:Sécurité des conteneurs
wordpress-sync/blog-feature-docker-labels

Vous voulez l’essayer par vous-même ?

See how these 8 tips can help you catch security issues in the pipe BEFORE you push to production ⭐️

Réservez une démo en ligne

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

Produit

Qu’est-ce que Snyk ?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Plateforme de sécurité des développeursSécurité des applicationsSécurité de la chaîne d’approvisionnement logicielleSécurité du code généré par l’IA DeepCode AITarifsOptions de déploiementIntégrationsPlugins pour les IDESécurité GitSécurité des pipelines de CI/CDSnyk CLISnyk LearnSnyk pour JavaScript

Ressources

DocumentationDocuments sur l’API SnykStatut de l’APIVulnérabilités divulguéesPortail de support et FAQBlogPrincipes fondamentaux de la sécuritéRessources pour les leaders de la sécuritéRessources pour les hackers éthiquesBase de données des vulnérabilitésSnyk OSS AdvisorTop 10 de SnykVidéosRessources clientSecurity LabsThe Secure Developer Podcast

Société

À proposClientsCarrièresÉvénementsSnyk pour le secteur publicSécurité et confianceMentions légalesConfidentialitéPour les résidents de Californie : Ne vendez pas mes informations à caractère personnelConditions d'utilisation du site webProcurement

Connexion

Réservez une démo en ligneContactez-nousSupportSignaler une nouvelle vulnérabilité

Sécurité

Sécurité des applicationsSécurité des conteneursSécurité de la chaîne d’approvisionnementSécurité JavascriptSécurité open sourceSécurité AWSSDLC sécuriséPosture de sécuritéCode sécuriséHacking éthiqueL’IA dans la cybersécuritéVérificateur de codePythonCybersécurité en entrepriseJavaScriptSnyk With GitHubComparaison Snyk/VeracodeSnyk vs CheckmarxSnyk vs Synopsys

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles

logo-devseccon