- person Penulis:
PT. Tabeldata Informatika
- account_balance_wallet Donasi via:
- Saweria a/n Dimas Maryanto
- lock_open Join Premium Members:
1. Pengenalan Docker 8
2. Docker Registry 3
3. Docker Container CLI 8
1. Docker CLI (Command Line Interface)
2. Management Docker Container
3. Management Docker Images
4. Run a command in a running container
5. Expose services to outside using ports
6. Copying files/content between container and filesystem
7. Logging, Inspect, & Resource Usage Statistics Containers
8. Run a Container using Environtment File
4. Docker Networks 7
5. Docker Volumes 5
6. Dockerfile 15
1. Build Docker Image Overview
2. Usage docker build
3. FROM Instruction
4. Environtment Replacement
5. Copying Resources
6. Excluding files/directories
7. Label Instruction
8. Execution Instruction
9. CMD vs ENTRYPOINT?
10. Exposing Ports
11. User, Volumes and Working Directory
12. Health Check Instruction
13. Multiple Stage Builds
14. Best practices for writing Dockerfiles
15. Best practices for scanning images
7. Study Kasus: Build docker image 14
1. Build specific docker image by programming languages
2. Build Docker Image for Java Webapp
3. Build Java Web using maven-docker-plugin
4. Build docker image for spring-boot
5. Springboot - using Environtment
6. Springboot - where data such as files/images we stored?
7. Springboot - Using Database
8. Build docker image for Angular Project
9. Angular - Access Rest API
10. Angular - Proxy to backend
11. Build docker image for PHP
12. Build Docker image for Laravel Framework
13. Laravel - Using Frontend & Rest API
14. Laravel - Using Database
8. Docker Compose 19
1. Overview of Docker Compose
2. Get started with Docker Compose
3. Overview of docker-compose CLI
4. Compose file specification and syntax
5. Environment variables in Compose
6. Volume in Compose
7. Share data between Containers in Compose
8. Using sshfs for share data in Compose
9. Using NFS for share data in Compose
10. Networking Overview in Compose file
11. Network links in Compose file
12. Specify custom networks in Compose file
13. Dependency between services in Compose file
14. Build docker image using Compose file
15. Using profiles with Compose file
16. Multiple Compose files to Add & Override attribute
17. Example use case of multiple compose files
18. Scale services using compose command
19. Use Compose in production
9. Study Kasus: Docker Compose 7
10. Docker Context 8
11. Study Kasus: Docker for CI 8
1. Overview of Study Cases using docker for CI
2. Setup environment for CI using Gitlab & Nexus OSS
3. The `.gitlab-ci.yml` file
4. Pipeline: PHP deployment using Gitlab CI
5. Pipeline: Java Web deployment using Gitlab CI
6. Pipeline: spring-boot deploy with Gitlab CI
7. Pipeline: Angular deploy with Gitlab CI
8. Pipeline: Laravel deploy with Gitlab CI
12. Docker Machine 7
13. Study Kasus: Ansible for Docker 4
14. Docker Swarm
- Materi: belum tersedia...
15. Study Kasus: Docker Swarm
- Materi: belum tersedia...
16. Docker on Cloud using GCP
- Materi: belum tersedia...
- Lastest Posts
- 05 Feb 23 Welcome to the Nutanix HCF (Hybr...
- 04 Feb 23 Silabus SRE - Nutanix AHV: Pemul...
- 17 Jan 23 What is Workload Resources?
- 17 Jan 23 Overview Kubernetes Workloads re...
- 15 Jan 23 Getting started with Transaction...
- 14 Jan 23 Overview of Concurrency Control
- 14 Jan 23 Time your practice (part 3)
- 08 Jan 23 Cleanup Data from Table
- 19 Dec 22 Study Cases: Monolith apps (Lara...
- 28 Nov 22 Overview Study Cases: Pod and Co...
Best practices for scanning images
Hai semuanya, di materi kali ini kita akan membahas tentang Scanning docker images yang telah kita build berserta best practice nya. Berikut adalah materi yang akan kita bahas
- Vulnerability images
- How to scan using the CLI
- Choose the right base image
- Scan images during development & production
Ok langsung aja kita bahas ke materi yang pertama
Vulnerability docker images
Setelah kita melakukan build docker image, apa yang harus dilakukan selanjutnya? langsung kita push ke registry? ettss tunggu dulu, coba perhatikan tentang security issue dalam docker image apakah image yang kita build sudah aman?
Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.
Users trigger vulnerability scans through the CLI, and use the CLI to view the scan results. The scan results contain a list of Common Vulnerabilities and Exposures (CVEs), the sources, such as OS packages and libraries, versions in which they were introduced, and a recommended fixed version (if available) to remediate the CVEs discovered.
How to scan using the CLI
docker scan command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
Jika di jalankan maka hasilnya seperti berikut:
➜ 07-dockerfile docker scan --help Usage: docker scan [OPTIONS] IMAGE A tool to scan your images Options: --accept-license Accept using a third party scanning provider --dependency-tree Show dependency tree with scan results --exclude-base Exclude base image from vulnerability scanning (requires --file) -f, --file string Dockerfile associated with image, provides more detailed results --group-issues Aggregate duplicated vulnerabilities and group them to a single one (requires --json) --json Output results in JSON format --login Authenticate to the scan provider using an optional token (with --token), or web base token if empty --reject-license Reject using a third party scanning provider --severity string Only report vulnerabilities of provided level or higher (low|medium|high) --token string Authentication token to login to the third party scanning provider --version Display version of the scan plugin
Sekarang kita coba jalankan perintah
docker scan untuk docker image yang terakhir yang kita build yaitu
dimmaryanto93/centos:1.8 seperti berikut:
Jika dijalankan maka hasilnya seperti berikut:
➜ 07-dockerfile docker scan --exclude-base --file Dockerfile dimmaryanto93/centos:1.8 Testing dimmaryanto93/centos:1.8... Package manager: deb Target file: Dockerfile Project name: docker-image|dimmaryanto93/centos Docker image: dimmaryanto93/centos:1.8 Platform: linux/amd64 Base image: php:7.3-apache Tested 176 dependencies for known vulnerabilities, found 0 vulnerabilities. Base Image Vulnerabilities Severity php:7.3-apache 158 18 high, 11 medium, 129 low Recommendations for base image upgrade: Alternative image types Base Image Vulnerabilities Severity php:7.3-fpm-buster 141 13 high, 9 medium, 119 low php:7.3.28-cli-buster 141 13 high, 9 medium, 119 low php:7.3.28-zts-buster 141 13 high, 9 medium, 119 low php:8-buster 148 13 high, 9 medium, 126 low For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
Choose the right base image
The first step towards achieving a secure image is to choose the right base image. When choosing an image, ensure it is built from a trusted source and keep it small.
Docker Hub has more than 8.3 million repositories. Some of these images are Official Images, which are published by Docker as a curated set of Docker open source and drop-in solution repositories.
When building your own image from a
Dockerfile, ensure you choose a minimal base image that matches your requirements. A smaller base image not just offers portability and fast downloads, but also shrinks the size of your image and minimizes the number of vulnerabilities introduced through the dependencies.
when rebuild your own imag from a
Dockerfile, A Dockerfile contains a set of instructions which allows you to automate the steps you would normally (manually) take to create an image. Additionally, it can include some imported libraries and install custom software. These appear as instructions in the Dockerfile. Building your image is a snapshot of that image, at that moment in time. When you depend on a base image without a tag, you’ll get a different base image every time you rebuild. Also, when you install packages using a package installer, rebuilding can change the image drastically. For example, a Dockerfile containing the following entries can potentially have a different binary with every rebuild.
We recommend that you rebuild your Docker image regularly to prevent known vulnerabilities that have been addressed. When rebuilding, use the option
--no-cache to avoid cache hits and to ensure a fresh download.
Consider the following best practices when rebuilding an image:
- Each container should have only one responsibility.
- Containers should be immutable, lightweight, and fast.
- Don’t store data in your container. Use a shared data store instead.
- Containers should be easy to destroy and rebuild.
- Use a small base image (such as Linux Alpine). Smaller images are easier to distribute.
- Avoid installing unnecessary packages. This keeps the image clean and safe.
- Auto-scan your image before deploying to avoid pushing vulnerable containers to production.
- Scan your images daily both during development and production for vulnerabilities Based on that, automate the rebuild of images if necessary.
Scan images during development & production
Creating an image from a Dockerfile and even rebuilding an image can introduce new vulnerabilities in your system. Scanning your Docker images during development should be part of your workflow to catch vulnerabilities earlier in your development. You should scan images at all stages of the development cycle, and ideally consider automating scans. For example, consider configuring automated scans during the build process, before pushing the image to Docker Hub (or any other registry), and finally before pushing it to a production environment.
Actively checking your container can save you a lot of hassle when a new vulnerability is discovered, which otherwise can put your production system at risk.
Periodically scanning your Docker image is possible by using the Snyk monitor capabilities for containers. Snyk creates a snapshot of the image’s dependencies for continuous monitoring. Additionally, you should also activate runtime monitoring.
Scanning for unused modules and packages inside your runtime gives insight into how to shrink images. Removing unused components prevents unnecessary vulnerabilities from entering both system and application libraries. This also makes an image more easily maintainable.
Building secure images is a continuous process. Consider the recommendations and best practices highlighted in this guide to plan and build efficient, scalable, and secure images.
Let’s recap what we’ve learnt in this guide:
- Start with a base image that you trust. Remember the Official image and Verified Publisher badges when you choose your base images.
- Secure your code and its dependencies.
- Select a minimal base image which contains only the required packages.
- Use multi-stage builds to optimize your image.
- Ensure you carefully monitor and manage the tools and dependencies you add to your image.
- Ensure you scan images at multiple stages during your development lifecycle.
- Check your images frequently for vulnerabilities.