Container Image Security in Razorops with Snyk Vulnerability Scanning

Created by Saurabh Singh Singh Yadav, Modified on Tue, 11 Jul, 2023 at 11:23 AM by Saurabh Singh Singh Yadav


 

Table of content:

  1. Introduction

  2. Prerequisites

  3. Why do we need vulnerability scanning of container images?

  4. What is Snyk?

  5. Snyk account setup

  6. Integrate snyk CLI  with RazoprOps pipeline

  7. Understanding .razorops.yaml

  8. Snyk Dashboard


Introduction:

Container image vulnerability scanning is a critical aspect of modern CI/CD pipelines. By detecting potential security risks, we can ensure the safety of our applications. In this article, we will explore how to seamlessly integrate Snyk, a powerful vulnerability scanner, into the Razorops CI/CD platform for automated image scanning.

Prerequisites:

  1. Project Setup:

    • Fork the repository code from this link: GitHub Link in Snyk branch

    • If you have another project already automated in Razorops, you can use that as well.

  2. Razorops Account:

    • To create your pipeline for the forked project, you will need an account on Razorops.

    • Sign up for an account at Razorops Sign Up.

    • If you need assistance in creating a pipeline in Razorops, refer to this guide: Getting Started Guide.

Why do we need vulnerability scanning of container images?


Containerization has revolutionized software development and deployment by providing a lightweight and scalable solution. However, it also introduces potential security risks. Container images, which serve as the foundation for running applications, can contain vulnerabilities that can be exploited by attackers.

Here are a few reasons why vulnerability scanning of container images is crucial:

  • Identify Security Risks: Vulnerability scanners like Trivy analyze container images to detect security vulnerabilities, outdated libraries, and misconfigurations. By uncovering these risks early on, developers can take proactive measures to mitigate them.

  • Protect Against Attacks: Vulnerabilities in container images can be exploited to gain unauthorized access, execute malicious code, or disrupt application functionality. By scanning and addressing vulnerabilities, we fortify our applications and protect sensitive data.

  • Compliance and Audit Requirements: Many industries have specific compliance regulations that mandate regular security assessments. Vulnerability scanning helps ensure compliance with these standards and provides evidence for audits.

  • Maintain Trust and Reputation: In today's digital landscape, users expect their data to be handled securely. By conducting thorough vulnerability scans, organizations demonstrate their commitment to security, maintain user trust, and safeguard their reputation.

What is Snyk?


Snyk is a widely-used developer-first security platform that helps organizations identify and fix vulnerabilities in their open-source dependencies and container images. It offers powerful vulnerability scanning and monitoring capabilities, providing insights into security risks and helping teams prioritize and address issues effectively. Snyk integrates seamlessly into CI/CD pipelines and development workflows, enabling proactive security practices and ensuring the overall integrity and safety of software applications.


Snyk account setup

  • Create snyk account at https://app.snyk.io/login/
  • Create API Token 
    • Go to your snyk account setting
    • In the key field, click click to show; then select and copy your API token. Save it for later, we need it for Razorops environment variable


Integrate snyk CLI  with RazoprOps pipeline


Snyk CLI requires a token to upload data to Snyk. As a best practice, it is recommended not to write the token directly in our code. Instead, we can set the environment variable in the Razorops dashboard, making it accessible from the pipeline runner's environment.


To set the environment variable, follow these steps:

  • Go to the Razorops pipeline dashboard.

  • Click on "Variables" to access the Environment Variables section.

  • Add a new environment variable called SNYK_TOKEN.

  • Set the value of the SNYK_TOKEN to your Snyk token, which you can obtain from your Snyk account.

  • Save the changes.


Understanding .razorops.yaml


The provided razorops.yaml file describes a CI/CD pipeline configuration for testing a Docker image using Snyk for vulnerability scanning. Here's a breakdown of the file:


tasks:
  test:
    steps:
    - checkout
    - commands:
      - |
        # Installing synk
        curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk
        chmod +x ./snyk

        docker build -t saurabh3460/todo-app:${CI_COMMIT_SHA:0:8} -f server/Dockerfile server/
        ./snyk container monitor -d saurabh3460/todo-app:${CI_COMMIT_SHA:0:8} --file=server/Dockerfile

Explanation:

  • tasks: This section defines a task named "test".
  • steps: Under the "test" task, there are a series of steps that will be executed in order.
  • checkout: This step retrieves the source code from the repository.
  • commands: This step contains a series of shell commands that will be executed sequentially.
  • Installing Snyk: This command downloads the Snyk CLI by using curl. The downloaded file is named "snyk", and the chmod command makes it executable.
  • docker build: This command builds a Docker image using the specified Dockerfile (server/Dockerfile) and the context directory (server/). The resulting image is tagged with the image name saurabh3460/todo-app and the first 8 characters of the ${CI_COMMIT_SHA} (commit SHA) as a unique identifier.
  • Snyk vulnerability monitor: This command runs the Snyk container monitor on the newly built Docker image. The -d flag specifies the image to be monitored (saurabh3460/todo-app:${CI_COMMIT_SHA:0:8}), and the --file flag specifies the path to the Dockerfile used during the build process (server/Dockerfile).



After successful pipeline run our RazorOps pipeline dashboard should look like this:

 



In summary, this razorops.yaml file sets up a CI/CD pipeline task named "test" that performs the following steps: checking out the source code, installing the Snyk CLI, building a Docker image, and scanning the image for vulnerabilities using Snyk's container monitor.



Snyk Dashboard


The Snyk dashboard will display information about the vulnerabilities found in the Docker image "saurabh3460/todo-app:/bin/todo". It will provide an overview of the image, including its creation date, import source, and monitoring status. The dashboard will also show the number of issues and their severity levels, along with details about the specific vulnerabilities detected.





In dashboard it will indicate the versions in which the vulnerabilities were introduced and fixed. In the case of the displayed vulnerability, it shows that it was introduced through "go.mongodb.org/mongo-driver/bson/[email protected]" and subsequently fixed in "go.mongodb.org/mongo-driver/bson/[email protected]". This information helps developers identify the specific versions where the vulnerabilities were present and where they should update to resolve the issue.




Conclusion:


Integrating Snyk vulnerability scanning into the Razorops CI/CD pipeline provides valuable insights into the security of container images. The Snyk dashboard displays a comprehensive overview of vulnerabilities, including their severity levels, fixability, and exploit maturity. By leveraging this information, developers can prioritize and address vulnerabilities promptly, ensuring the security and stability of their containerized applications. With Snyk's continuous monitoring capabilities, teams can stay proactive in identifying and resolving vulnerabilities throughout the software development lifecycle.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article