To perform continuous integration and continuous delivery (CI/CD) in a cloud-native world, it’s important to make sure your container images are safe and free of known critical vulnerabilities before you deploy them. Today, Google Cloud is pleased to announce Container Registry vulnerability scanning in beta, helping to automatically detect known security vulnerabilities during the early stages of the CI/CD process and prevent the deployment of vulnerable images.
When, where and how you integrate security into your CI/CD pipeline is critical. When we set out to build vulnerability scanning for container images, we started from the premise that security needs to be built into CI/CD from the very beginning, to cut down on time spent remediating downstream security issues, and to reduce risk exposure. Furthermore, security controls need to happen automatically, not as part of some manual, ad-hoc process. Finally, the system must be able to automatically block vulnerable images based on policies set by the DevSecOps team. In other words, CI/CD security needs to be comprehensive, from scanning images, to enforcing validation, as part of every CI/CD pipeline.
Now, all container images built using Cloud Build, our fully managed CI/CD platform, are automatically scanned for OS package vulnerabilities when images are pushed to Container Registry once the Container Analysis API is enabled. That way, you get quick feedback on potential threats and identify issues as soon as your containers are built. Vulnerability scanning is also integrated with Binary Authorization, a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine without any manual intervention.
As part of our journey towards the beta release of Container Registry vulnerability scanning we sought out input from current users. One of those early adopters is ThoughtWorks, a technology consulting firm that provides software design and delivery solutions to customers in different industries across the world.
ThoughtWorks is integrating vulnerability scanning into all of its app project pipelines to prevent vulnerable components from making it into production. Part of that integration involves automated reporting back to development teams with details about the vulnerabilities that have been discovered. The InfoSec team will then generate reports and provide guidance to development teams on how to prevent security issues.
Container Registry vulnerability scanning is a great service and will have a meaningful effect on securing web applications globally. With vulnerability scanning, it’s easy for us to verify and ensure vulnerable components don’t make it into production.– Philip Duldig
Integrating vulnerability scanning with other components of your CI/CD pipeline lets you continuously identify known vulnerabilities and trigger actions based on that information (e.g., with Cloud Pub/Sub and Cloud Functions). Vulnerability scanning continuously monitors security databases from the supported OS distributions for new or updated vulnerabilities, to ensure its scans and results reflect the most up-to-date information.
Other benefits of vulnerability scanning include:
Perform deep security scans within your CI/CD pipeline: The integration of vulnerability scanning with Cloud Build lets developers identify security threats as soon as Cloud Build creates an image and stores it in Container Registry, using a simple API call, the gcloud command line, or the Cloud Console UI.
Address security early on: Container Registry vulnerability scanning bakes in security from the get go, so you can shift security left. Package vulnerabilities for Ubuntu, Debian, and Alpine are identified right during the application development process, with support for CentOS and RHEL on the way. This helps avoid costly inefficiencies and reduces the time required to remediate known vulnerabilities.
Hook into an extensible architecture: You can plug Container Registry vulnerability scanning into your existing CI/CD tools using Pub/Sub notifications and Cloud Functions. For example, you could integrate vulnerability findings into your workflow to automatically generate and track issues when vulnerabilities are discovered. Also, in the future, we’ll include Container Registry vulnerability scanning findings in Cloud Security Command Center alongside other security findings, including those from vendors such as Aqua or Twistlock.
Lock down production environments: Binary Authorization formalizes and codifies an organization’s deployment requirements on Kubernetes Engine using image signature verification. By integrating Binary Authorization and Container Registry vulnerability scanning, you can gate deployments based on vulnerability scanning findings as part of the overall deploy policy. Follow these detailed instructions to set this up.
Get detailed insights: Container Registry vulnerability scanning provides detailed insights such as severity, CVSS score, packages, and whether a fix is available. Its filtering mechanism allows you to prioritize patching and determine the impact of new vulnerabilities. It also notifies your DevSec team about the status and results of a scan as soon as the run is complete and it detects any issues.
With Container Registry vulnerability scanning, you now have an easy way to improve security within your CI/CD pipeline. If you are building container images, you can easily plug in vulnerability scanning right into your favorite CI/CD tool from an existing security vendor. Here are more ways you can learn more about Container Registry vulnerability scanning:
We hope you will join us!