CEO at GOODWITH LLC., • Family ◦ Wife, one daughter and two sons • Language ◦ JavaScript / Go / Python / PHP • PaaS ◦ GCP (GAE, GKE, Firebase), AWS (ECS)
Image Linter for Security, Helping build the Best-Practice Docker Image https://github.com/future-architect/vuls Agent-less VULnerable Scanner All-round vulnerability scanner https://github.com/aquasecurity/trivy Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
OS or Ubuntu • Container Runtime : gVisor • Image Registry : GCR • Docker Daemon : Managed • Orchestration Tool : need to be configured • Container Image : easy to control it is difficult to control them except for Container Image. Managed
Registry : ECR • Container Runtime : Managed • Docker Daemon : difficult to control • Orchestration Tool : original tool • Container Image : easy to control it is difficult to control them except for Container Image. Managed
Version Matching Vulnerability Database Parse Distribution Version Analyze Analyze os-release /var/lib/dpkg/.. /var/lib/dpkg/.. os-release Analyze /var/lib/dpkg/..
Download the image if it doesn’t exist in the local image • Check each merged file via Filename or Privilege • Analyze the target merged files • Match with the product’s rules
of the repository is very simple. https://github.com/tomoyamachi/imagecheck-for-gocon If you try to create better design, please check aquasecurity/trivy and goodwithtech/dockle. nginx setting Built-in Rule - Use LTVS log format Matching Analyze nginx.conf nginx/conf.d/
/path/to/project $ go run main.go nginx:latest 2019/10/21 01:49:28 Start assessments... 2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log format contains "ltsv" but "main;" Exit status 1 Now we can check nginx log format!!