Do security scan in your InterSystems IRIS container
There are many options to do a full security scan in your docker images, the most popular option is Anchore community edition.
Anchore will use the main public vulnerabilities databases available, including CVE.
To install Anchore is very ease (source: https://engine.anchore.io/docs/quickstart/), follow the steps:
- Create a folder in your OS and download the anchor docker compose file to the created folder.
curl -O https://engine.anchore.io/docs/quickstart/docker-compose.yaml
docker-compose up -d
- Check docker services availability (services with up status):
- Check Anchore services availability (services with up and the product version in the last row):
docker-compose exec api anchore-cli system status
- Now wait for the vulnerability database sync (about 30 to 120 minutes, depends the internet speed). You can check the progress running this command:
docker-compose exec api anchore-cli system feeds list
- When all files synced, you can begin to use Anchore.
- To do a security scan is simple, but you need to know the docker image name to be scanned. I will scan the last InterSystems IRIS docker image (after add write your docker image name):
# docker-compose exec api anchore-cli image add store/intersystems/iris-community:2020.4.0.524.0 # docker-compose exec api anchore-cli image wait store/intersystems/iris-community:2020.4.0.524.0
- You will see this message until analysis end:
Status: analyzing Waiting 5.0 seconds for next retry.
- With the image added, you can see the analysis status/content, see:
docker-compose exec api anchore-cli image content store/intersystems/iris-community:2020.4.0.524.0
os: available files: available npm: available gem: available python: available java: available binary: available go: available malware: available
- With the status analyzed, it is possible list the current vulnerabilities found, see:
docker-compose exec api anchore-cli image vuln store/intersystems/iris-community:2020.4.0.524.0 all
- Finally to know if the your image passed in the security scan, run:
docker-compose exec api anchore-cli evaluate check store/intersystems/iris-community:2020.4.0.524.0
See more details in this tutorial: https://anchore.com/blog/docker-image-security-in-5-minutes-or-less/.