How-tos

Secure your container images before deployment with Vulnerability Advisor

Share this post:

(Ed.–This post covers 1 of 3 related tutorials you can do around Kubernetes-based application development. At the end, the author mentions the other two–on creating a highly scalable web app in Kubernetes, and on setting up log data visualization.)

This section of an overall solution tutorial called “Continuous deployment to Kubernetes“covers the Vulnerability Advisor tool, which checks the security status of container images both before deployment while the containerized app is running.

If you follow the initial steps in the solution tutorial, you will create a Kubernetes cluster, an Express NodeJS app, and a toolchain to continuously deploy the app updates. You will be then ready to use the Vulnerability Advisor as part of a DevOps pipeline.

Start the full tutorial

Security using Vulnerability Advisor

  1. Go to the toolchain you created under DevOps toolchains and click the Delivery Pipeline tile.
  2. Click on Add Stage and change MyStage to Validate Stage.
  3. Click on JOBS > ADD JOB.
  4. Select Test as the Job Type and Change Test to Vulnerability advisor in the box.
  5. Under Tester type, select Vulnerability Advisor. All the other fields should be populated automatically.
  6. Drag and move the Validate Stage to the middle. Container Registry namespace should be same as the one mentioned in Build Stage of this toolchain.
  7. Click Run on the Validate Stage.You will see that the Validate stage fails.

Let’s fix the vulnerabilities.

  • Open the cloned repository in an IDE or select Eclipse Orion web IDE tile, open Dockerfile and add the below command after EXPOSE 3000

RUN apt-get update && apt-get install -y \
libc6 \
systemd \
sensible-utils \
isc-dhcp-client 

  • Commit and Push the changes. This should trigger the toolchain and fix the Validate Stage.

git add Dockerfile
git commit -m "Fix Vulnerabilities"
git push origin master

More about Vulnerability Advisor

Seeing the logs and history, you may have figured out that Vulnerability Advisor provides security management for IBM Cloud Kubernetes Service. Vulnerability Advisor generates a security status report, suggests fixes and best practices, and provides management to restrict nonsecure images from running. Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you secure your IBM Cloud infrastructure.

Vulnerability Advisor includes the following features:

  • Scans images for vulnerabilities
  • Provides an evaluation report based on security standards and security practices specific to IBM Cloud Container Service
  • Detects file-based malware
  • Provides recommendations to secure configuration files for a subset of application types
  • Provides instructions on how to fix a reported vulnerable package or configuration issue in its reports

In the Registry dashboard, the SECURITY REPORT column displays the status of your repositories. The report identifies good cloud security practices for your images.

The Vulnerability Advisor dashboard provides an overview and assessment of the security for an image. To find out more about the Vulnerability Advisor dashboard, see Reviewing a vulnerability report.

Slack Integration

As part of the full tutorial, you will setup Slack integration to send notifications on your pipeline stages to a specific channel.

Start the Vulnerability Advisor tutorial

With your pipeline and auto-notifications in place, follow up with another tutorial to add data visualization and analytics to the logging and monitoring that comes with your Kubernetes cluster. And consider doing the tutorial on developing a highly scalable web app. While you’re at it, consider what’s involved in adding a chatbot to that web experience; here’s how online-only banker UBank did it.

Technical Offering Manager & Polyglot Programmer | IBM Cloud

More How-tos stories
December 7, 2018

Highly Available Applications with IBM Cloud Foundry

To properly deploy an application in a cloud environment and ensure maximum responsiveness, your app needs to be deployed in a certain (and easy) way that maximizes the chance of an instance always being ready to respond to a user request. This article will explain how to deploy your Cloud Foundry applications in the IBM Cloud such that you reach your target application availability.

Continue reading

December 5, 2018

Cloud Foundry Container-to-Container Networking

If you're like many developers who are deploying applications to Cloud Foundry, you probably don't think about networking too often. After all, as a PaaS, Cloud Foundry takes care of all the routing and connectivity for you. There is one feature, however, you might consider before writing your next app: container-to-container networking.

Continue reading

November 29, 2018

Mobile Foundation on IBM Cloud: Your Mobile App Security is Our Concern

Security features provided by Mobile Foundation on IBM Cloud simplify various aspects of Mobile security, enabling developers to build hack-proof apps. This post covers a list of critical security requirements that Mobile Foundation addresses.

Continue reading