Scanning for security vulnerabilities with Pipeline

At Banzai Cloud we always strive to make things simpler and to make complex services available to our customers. We try to reduce the complexity of setting up components and services by automating as much setup as possible - to expose these for users in a transparent, easy to understand manner. This effort led us to introduce integrated services to the Banzai Cloud Pipeline platform. We have already written about what integrated services are, and we also have described a few of them, like automated public DNS management for Kubernetes clusters and cluster expiration.

Banzai Cloud Pipeline is a solution-oriented application platform which allows enterprises to develop, deploy, and securely scale container-based applications in multi- and hybrid-cloud environments. You can easily spin up a cluster on your favorite cloud provider and try the features the platform provides. Integrated services are components available on the platform that are preconfigured with working defaults that provide basic functionality for operating clusters (for example, logging, monitoring, security scan, secret management, DNS, ingress, and backups).

This post describes the security scan integrated service. tl;dr: you can simply enable the security scan integrated service for your cluster and make use of automatic pre-deployment or arbitrary on-demand image vulnerability scans. Many of our clients come from various domains where they need to comply to strict rules and regulations concerning security auditing and regular security upgrades. The security scan integrated service helps them by automating some of these processes.

What is the security scan integrated service

The service scans the container images that make up an application for possible security issues, and allows or denies deploying the application based on the results of the scan. It does so by engaging a service deployed on the Pipeline control plane (Anchore) and configuring a webhook with the desired security policies. After enabling the service, you can also trigger individual image scans to examine vulnerabilities.

You can find more details about the security scan mechanism in our container vulnerability scans and Image validation with Anchoreblog posts.

Enabling the security scan integrated service

Similarly to most of the integrated services, you can enable the security scan integrated service both from the Banzai Cloud Pipeline web interface, and the Banzai Cloud CLI tool.

Using the web interface

1. Log in to your Pipeline web interface. If you don't have a Pipeline platform installed, you can register on our free developer preview installation and create a cluster there.
2. Navigate to Cluster Management, then the cluster you want to configure. A sidebar opens.
3. In the sidebar, click Security scan.
4. If you already have an Anchore engine installation that you want to use, select Use external Anchore engine and specify the URL and the secret used to access the engine.
5. Select the security policy you want to use in the Settings > Policy field.

• Allow all and warn bundle: This policy is the most permissive. One can deploy anything, but it receives feedback about all the deployed images.
• Reject critical bundle: Reject images that contain vulnerabilities with Critical CVSS Severity Rating.
• Reject high bundle: Reject images that contain vulnerabilities with High CVSS Severity Rating.
• Block root bundle: Prevent deploying images that contain apps running with root privileges.
• Deny all images: Reject every image, except the ones explicitly permitted by a whitelist.

1. Specify which namespaces should be scanned. By default, the scanning policy applies to every namespace (except the kubesystem and pipeline-system namespaces that cannot be scanned).
   • To specify the list of namespaces to scan, select Webhook settings > Type > Include, and select the namespaces to scan from the Namespaces field.
   • To specify a list of namespaces to exclude from the scan, and scan every other namespace, select Webhook settings > Type > Exclude, and select the namespaces that should not be scanned from the Namespaces field.
2. Click ACTIVATE or SAVE ALL CHANGES.

Using the Banzai CLI tool

Open a shell and run the following command:

% banzai cluster service securityscan activate

Complete the interactive wizard, or specify the options in a file or on standard input: 

% banzai cluster service securityscan
activate --file - <<EOF { "policy": { "policyId":
"97b33e2c-3b57-4a3f-a12b-a8c0daa472a0" } } EOF

Deactivate the Security scan integrated service

Using the web interface

On the integrated service details page deactivate the service by clicking the deactivate button.

Using the Banzai CLI tool

Open a shell and run the following command:

% banzai cluster service securityscan deactivate

Short example

To demonstrate how to enable and use the security scan integrated service, let's do the following:

1. Spin up a cluster on your favorite cloud provider with Pipeline.

2. Enable the security scan integrated service (use the "built-in" Anchore to keep things simple).

   Note: Select the Deny all images policy (no deployments will be allowed)

3. On the MAIN MENU > Single Cluster deployments page click CREATE, and try to deploy an arbitrary application (helm chart) to the cluster.
4. Since earlier we configured the security scan service to deny every image, the application in the deployments list should be in REJECTED state.

As expected the application is in rejected state.

Conclusion

By enabling the security scan integrated service you can easily ensure that the container images in the applications deployed to your cluster are secure. You can easily customize the security policy to fit the regulations and internal policies of your company. For more details, check out the documentation of the Pipeline integrated services and the security scan integrated service. Thank you for reading this post and please support us by starring our Pipeline GitHub repository, or by trying out the Banzai Cloud Pipeline platform for yourself.

About Banzai Cloud Pipeline

Banzai Cloud’s Pipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of the Pipeline platform.