Upgrade to Pro — share decks privately, control downloads, hide ads and more …

oSC24 - NeuVector Integration into AWS CodePipe...

Dominik Wombacher
June 28, 2024
Technology
0
21

oSC24 - NeuVector Integration into AWS CodePipeline CI and CD workflow

NeuVector is a open source container security platform. Key strengths are vulnerability and runtime scanning. I demonstrate in this talk how you ensure that only container images without a detected vulnerability move to the next stage in your Pipeline. How you define the baseline of allowed activities of your application. And how you can block the deployment into production if an unexpected behavior at runtime was detected in your testing stage. I'll use AWS CodePipeline, AWS CodeDeploy and AWS CloudFormation. The procedure is applicable to other toolset and Hybrid environments as well.

Dominik Wombacher

June 28, 2024
Tweet

More Decks by Dominik Wombacher

See All by Dominik Wombacher
oSC24 - Pagure CI integration with AWS CodePipeline
wombelix
0
32
oSC23 - Rancher integration with AWS services: possibilities, challenges, outlook.
wombelix
0
79
oSC23 - (open)SUSE ALP prototype on AWS, experimental, but fun!
wombelix
0
87

Other Decks in Technology

See All in Technology
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Engineer Career Talk
lycorp_recruit_jp
0
160
いざ、BSC討伐の旅
nikinusu
2
780
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
AIチャットボット開発への生成AI活用
ryomrt
0
170
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
380
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
180
21k
RailsConf 2023
tenderlove
29
900
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
A Modern Web Designer's Workflow
chriscoyier
693
190k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Docker and Python
trallard
40
3.1k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k

Transcript

  1. Dominik Wombacher [email protected] wombelix on libera.chat wombelix @wombelix:matrix.org NeuVector CI/CD

    Workflow with AWS CodePipeline Sr. Partner Solutions Architect, AWS @[email protected]

  2. That’s me • Passionate Engineer • Open source contributor •

    bugfixes / features • packager • maintainer • Dog person & Dad Linus loves Geeko

  3. NeuVector Introduction

  4. NeuVector The Full Life-Cycle Container Security Platform

  5. Challenges

  6. NeuVector Features • Vulnerability Scanning

  7. NeuVector Features • Vulnerability Scanning • Admission Control • Violation

    Protection • Threat Detection • DLP and WAF Sensors • Run-time Security • Compliance & Auditing • Endpoint/Host Security • Multi-Cluster Management • Container Quarantine • REST API, Syslog, Webhooks • Package capture • Authentication (LDAP, SAML, OIDC)

  8. Risks to mitigate

  9. Classic CI/CD Workflow Image source: https://docs.aws.amazon.com

  10. Vulnerability scanning Image source: https://open-docs.neuvector.com

  11. Run-time security Network Process File Access

  12. NeuVector CI/CD Workflow Image source: https://docs.aws.amazon.com

  13. Architecture

  14. NeuVector Components • Controller • Enforcer • Manager • Scanner

    • Updater

  15. NeuVector Architecture Image source: https://open-docs.neuvector.com Admin

  16. NeuVector on Amazon EKS

  17. CI/CD Workflow

  18. Walkthrough

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None

  35. Sample code

  36. Sample code

  37. buildspec.yaml

  38. scan.sh

  39. Sample code https://github.com/aws-samples/neuvector-vulnerability-scan-in-aws-codebuild

  40. Happy End? Not yet … The Digest/RepoDigest problem

  41. Digest/RepoDigest problem docker build > NeuVector Scan > Submit report:

    CodeBuild log: ERRO|SCN|main.main: Failed to sumit scan result - error=Submit scan result failed with status code 400 NeuVector log: DEBU|CTL|rest.handlerScanRepositorySubmit: - URL=/v1/scan/result/repository ERRO|CTL|rest.handlerScanRepositorySubmit: Missing image metadate in the request DEBU|CTL|rest.writer.WriteHeader: 400 - Method=POST URL=/v1/scan/result/repository

  42. Digest/RepoDigest problem controller/rest/repository.go#L263 // Sanity check if result.ImageID == ""

    || result.Digest == "" || result.Repository == "" || result.Tag == "" { log.Error("Missing image metadate in the request") restRespErrorMessage(w, http.StatusBadRequest, api.RESTErrInvalidRequest, "Missing image metadate in the request") return }

  43. Digest/RepoDigest problem docker build -t localhost:5000/testcontainer . docker inspect localhost:5000/testcontainer

    "Id": "sha256:a88710f44133fef9e94f7c10cd[...]", "RepoTags": [ "localhost:5000/testcontainer:latest" ], "RepoDigests": [],

  44. Digest/RepoDigest problem docker build -t localhost:5000/testcontainer . docker inspect localhost:5000/testcontainer

    docker push localhost:5000/testcontainer "Id": "sha256:a88710f44133fef9e94f7c10cd[...]", "RepoTags": [ "localhost:5000/testcontainer:latest" ], "RepoDigests": [ "localhost:5000/testcontainer@sha256:021[...]" ],

  45. Digest/RepoDigest workaround Start local registry > docker build > docker

    push to local registry > NeuVector Scan > Submit report

  46. Digest/RepoDigest Bug https://github.com/neuvector/neuvector/issues/1423

  47. Learn more

  48. Virtual Workshop Secure Your CI/CD Pipeline with NeuVector by SUSE

    on AWS • Delivered by AWS and SUSE • Hands-on focused • ~3 hour duration • AWS Account provided • Free of charge, seats limited

  49. Workshop session #1 • July 17th 2024 at 7:30 AM

    PT / 10:30 AM ET

  50. Workshop session #2 • July 30th 2024 at 10:00 AM

    CEST

  51. Thank you! Feedback? Questions? https://pulse.aws/survey/O0RAERVC