I'm excited to preview the results of our latest efforts to dramatically reduce the time from container vulnerability disclosure to resolution. Some of you may have read my blog post in January advocating Black Duck’s work with the Red Hat OpenShift Container Platform. The goal of that effort was simple — provide visibility into the open source risks associated with containers deployed in OpenShift. This simple requirement is of immense value to any organization deploying containerized applications in production. Putting this into perspective, ask yourself this question, “If a security vulnerability were disclosed an hour ago, how many of our containers would be impacted?”
Starting today, OpenShift administrators have a simple method to answer this question. Black Duck Hub integrates with OpenShift to automatically scan the images in your cluster and identify open source components and associated risks. After installing the integration, wait for the image scans to complete, then remedy any risks identified. Once you have remedied the risks, you can identify the impact of any changes in risk using native OpenShift commands.
For example, any images impacted by a risk policy defined within Hub can be readily identified using the following command:
oc describe images -l "com.blackducksoftware.image.has-policy-violations=true"
Identify Container Vulnerabilities
One of the policy items that can be defined in Hub relates to security vulnerabilities. Security disclosures in open source components were released at an average rate of almost a dozen per day in 2016. While these disclosures may cover well-recognized components, common open source development practices such as forking and embedding tend to increase the impact of the disclosures. Remediation of any disclosure starts with clearly identifying which container images include the vulnerable component. From this list of impacted images, application owners and deployed containers are readily identified. Armed with this knowledge, OpenShift administrators and application owners can move from disclosure through impact assessment to remediation in a matter of hours. Importantly, once an image is scanned by Black Duck Hub, there is no need for ongoing scanning and no requirement to modify the image.
If you would like early access to container image scanning power by Black Duck for OpenShift, please request entry in our Tech Preview.