Profile Applicability:
Level 2
Description:
Container images deployed in Google Cloud or any other cloud environment should be analyzed for vulnerabilities to ensure they do not contain known security issues. This can be achieved using AR Container Analysis or a third-party vulnerability scanning provider.
Rationale:
Container vulnerability analysis helps in identifying security risks in container images before they are deployed to production environments. This process ensures that only secure and trusted images are running in your cloud infrastructure. By leveraging AR Container Analysis or third-party providers, you can automate the detection of vulnerabilities within your container images during development, making it easier to detect, assess, and mitigate risks early.
Impact:
Security: Identifying and fixing vulnerabilities in container images ensures the images are secure before deployment, reducing the risk of security breaches.
Operational Overhead: Setting up AR Container Analysis or a third-party provider might require initial configuration and integration into the CI/CD pipeline.
Compliance: Helps meet compliance requirements for secure software practices such as PCI-DSS, HIPAA, and SOC 2 by ensuring vulnerability scanning is part of the development lifecycle.
Default Value:
By default, AR Container Analysis or third-party tools may not be integrated with container images. Vulnerability analysis needs to be enabled and configured.
Test Plan:
Using Google Cloud Console (AR Container Analysis):
Navigate to AR Container Analysis: Go to Container Analysis in Google Cloud Console.
Verify Vulnerability Scanning:
Ensure that AR Container Analysis is enabled for your container registry.
Review the vulnerability report for each image stored in Container Registry or Artifact Registry.
Repeat for All Repositories: Ensure all container image repositories have vulnerability scanning enabled.
Using Google Cloud CLI:
List All Images in the Registry:
Check Vulnerability Analysis for an Image:
To check the vulnerability report for a specific image:Ensure that the vulnerability report for the image is available.
Remediation Steps:
Using Google Cloud Console (AR Container Analysis):
Enable AR Container Analysis:
Go to Artifact Registry and Container Registry under Cloud Storage.
Ensure that vulnerability scanning is enabled in the Security settings for your image repositories.
Configure CI/CD Pipeline for Vulnerability Scanning:
If using Cloud Build, configure the pipeline to scan images during the build process and before deployment.
Integrate Vulnerability Alerts:
Integrate with Cloud Security Command Center for monitoring and alerting based on vulnerability reports.
Using Google Cloud CLI:
Enable AR Container Analysis:
Enable the Container Analysis API:Trigger Image Scanning:
Trigger the vulnerability scan for a container image:Review the vulnerability report for detected issues.
Backout Plan:
Disable Vulnerability Scanning:
If needed, disable AR Container Analysis for your container repositories by running the followingVerify No Vulnerability Scanning: Ensure that no vulnerability reports are being generated after disabling the scanning.
Test Image Deployment: Ensure that images are still being deployed and running successfully without vulnerability scanning.
Notify Stakeholders: Communicate to the security team and other stakeholders about the changes to the vulnerability scanning process.
References:
CIS Controls:
Control | Description | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
3.11 | Encrypt sensitive data at rest using strong encryption algorithms and keys | ✅ | ✅ | ✅ |
14.5 | Ensure systems are configured with appropriate security patches | ✅ | ✅ | ✅ |
8.5 | Implement application security testing, including vulnerability scanning | ✅ | ✅ | ✅ |