iCompaas Support

Profile Applicability:

• Level 2

Description:

Container images deployed in Google Cloud environments should be scanned for vulnerabilities to ensure they do not contain known security issues. This can be achieved using Google Container Registry (GCR) container scanning or a third-party vulnerability scanning provider.

Rationale:

Vulnerability scanning identifies and mitigates security issues in container images before they are deployed to production environments. By scanning images, you ensure that only secure and trusted images are running in your cloud infrastructure. It is essential to integrate automated vulnerability scanning into your CI/CD pipeline to detect vulnerabilities early in the development cycle and avoid potential risks.

Impact:

• Security: Scanning for vulnerabilities ensures that container images are secure before deployment.

• Operational Overhead: Integrating vulnerability scanning requires configuring the scanning tools and integrating them into your pipeline.

• Compliance: Helps organizations meet compliance requirements such as PCI-DSS, HIPAA, and SOC 2 by ensuring secure software practices.

Default Value:

• By default, GCR does not automatically enable vulnerability scanning for container images. Third-party tools may require additional setup and configuration.

Test Plan:

Using Google Cloud Console:

1. Navigate to Container Registry: Go to Container Registry under Cloud Storage in the Google Cloud Console.

2. Check Vulnerability Scanning Status:

   • Select Container Scanning.

   • Ensure that Container Scanning is enabled. You should see vulnerability reports for the images within the repository.

3. Repeat for All Repositories: Ensure that all GCR repositories are using vulnerability scanning.

Using Google Cloud CLI:

1. List All Images in GCR:

   gcloud container images list --repository=gcr.io/[PROJECT_ID]

2. Check Vulnerability Scan for an Image:
   Run the following command to check if vulnerability scanning is enabled:

   gcloud container images describe gcr.io/[PROJECT_ID]/[IMAGE] --format="json" | jq '.vulnerabilityReport'

   • The output should display any vulnerability reports associated with the image.

Remediation Steps:

Using Google Cloud Console:

1. Navigate to Container Registry: Go to Container Registry > Settings.

2. Enable Container Scanning:

   • Ensure that Container Scanning is enabled in the Security Settings of the project.

   • Container scanning can be integrated with Cloud Security Command Center to monitor and alert on security issues.

3. Configure Image Scanning in CI/CD Pipeline:

   • If using Cloud Build, enable vulnerability scanning as part of the build pipeline.

   • Configure a policy to block deployment of vulnerable images by integrating with Cloud Build and Container Registry.

Using Google Cloud CLI:

1. Enable Vulnerability Scanning for GCR:
   Enable vulnerability scanning by configuring Container Analysis API:

   gcloud services enable containeranalysis.googleapis.com

2. Use gcloud to Trigger Image Scanning:
   Run the following command to trigger a scan for your container image:

   gcloud container images scan gcr.io/[PROJECT_ID]/[IMAGE]
   

   After scanning, review the vulnerability report for any detected issues.

Backout Plan:

1. Disable Vulnerability Scanning:
   If you need to revert vulnerability scanning, you can disable the Container Scanning service:

   gcloud services disable containeranalysis.googleapis.com
   

2. Verify the Change: Ensure that no vulnerability reports are generated by scanning images.

3. Test the Image Deployment: Ensure that images are still being deployed and run successfully without scanning enabled.

4. Notify Stakeholders: Communicate to the security team and any stakeholders about the changes to the vulnerability scanning process.

References:

• Google Cloud: Container Vulnerability Scanning

• Cloud Build and Container Scanning

• Customer-Supplied Encryption Keys (CSEK) Documentation

CIS Controls: