Alcide Rapid 7 Logo Alcide Rapid 7 Logo
Alcide has been acquired by Rapid7- a leading provider of security analytics and automation. Learn more
24-Post-page-H1-image

Container Image Scanning for Kubernetes Deployments

December 7, 2020
Alon Berger
Product Marketing Manager

 

The process of image scanning typically refers to the act of parsing through packages and dependencies that are defined in a container image file, while trying to identify and detect whether there are any known vulnerabilities.

Traditional image scanning tools mainly focus on auditing and tracking Common Vulnerabilities and Exposures (CVE), put together by well-established databases and formal organizations, such as the National Vulnerability Database (NVD) and MITRE knowledge base.

Containers usually have various packaging formats, they consist of several layers and often require shared responsibility between Ops and Dev teams. All of these aspects and more make container security a tricky business to tame and maintain, no matter the scale of deployment.

 

The First Kubernetes-Focused Image Scanning Solution

Since Kubernetes claimed the title as the top orchestrator for containerized applications, image scanning methodologies became an integral part of the CI/CD pipeline.

These methodologies, among other key operational processes, should be tightly enforced by objective-driven security guardrails for any Kubernetes deployments and workloads across the entire application lifecycle.

Alcide’s image scanning capability is a part of its end-to-end SaaS platform and the Alcide Runtime (kArt) in particular. Starting from the build stage and all the way to runtime, Alcide’s image scanning module is specifically designed for continuous audit and monitoring of Kubernetes deployments, providing clean and noise-free reports, highlighting relevant vulnerabilities and security issues associated with Kubernetes entities and resources.

 

Alcide CI/CD pipeline and coverage overview

 

Alcide seamlessly integrates and leverages Kubernetes and cloud-native image scanning engines of AWS, Google, and Azure (ECR, GCR, and ACR, respectively).

The process begins with a lightweight agent developed by Alcide that reads and extracts relevant container images inventory from the Kubernetes cluster. Then, the information is sent to the cloud vendor’s scanners, where they use their myriad of rich and robust resources to check the scan results against known databases for potential vulnerabilities.

Lastly, the data is sent back to Alcide’s SaaS platform, where it is collected, sorted, and visualized in designated reports and dashboards. These reports enable both security and Ops teams to drill down specific Kubernetes vulnerabilities and their corresponding container images.

Furthermore, Alcide partnered with WhiteSource, a security management platform, providing end-to-end management for developers using open-source tools and for operation teams as well. Through this collaboration, organizations can rely on Alcide to complement WhiteSource’s solution for progressive image scanning. This partnership introduces a comprehensive offering for securing Kubernetes deployments, by scanning Kubernetes clusters as a baseline for future changes and reporting security-related issues on a panoramic view of images, vulnerabilities, and alerts.

 

Conclusion

It is a known fact that new vulnerabilities and exploits keep popping up on a daily basis, leaving the already deployed applications vulnerable to such risks. For that reason, it is safe to say that image scanning in early CI stages is clearly not enough. With Alcide, automating image scanning procedures to run on a daily basis ensures that the entire pipeline is wrapped with the required security layers for early discovery and dynamic detection of any possible threat.

Alcide aims for empowering all operational teams, including security, developers, and DevOps to increase deployment efficiency while becoming a seamless part of their toolset.

Additional features, enhanced capabilities, and future collaborations are already in the works, setting the stage for better agility and productivity with Kubernetes.

 

Want to give it a try? Start your 14-day trial with Alcide’s Kubernetes security platform.

 

 

About the author

Alon profile

Alon Berger

Product Marketing Manager

Alon Berger is a Product Marketing Manager at Alcide and an experienced Technical Engineer with a demonstrated history of working in the computer software industry. Skilled in R&D Operations management, Cyber Security, Cloud platforms, and DevSecOps methodologies. Alon served in the 8200 unit and holds a BSc in Computer Science.

Subscribe for updates, fresh insights, stories and tips

The latest posts delivered to your inbox