Microservices are a hot topic in IT circles these days. The idea of a modular approach to system building – where you have numerous, smaller software services that talk to each other instead of monolithic components – has many benefits ...
Aqua Security announced at DockerCon a native Jenkins plug-in for Aqua MicroScanner, the company's free-to-use vulnerability scanner for Docker container images.
The plug-in allows developers to automate vulnerability scanning as part of their build process, even before Docker images are built, stored, and shared.
"As developers continue to discover the benefits of using containers, and new members are joining the community every day, the need to provide easy, automated security scanning increases," said Liz Rice, Technology Evangelist at Aqua. "Since we launched MicroScanner earlier this year, the number one request was for easier automation - which we're now providing with the native Jenkins plug-in."
By building applications based on existing open-source code, developers accelerate the pace of innovation and improve efficiency. However, this 3rd party code introduces potential risks and vulnerabilities, which is why scanning Docker images is highly recommended, and should be performed as much as possible as part of the automated image build processes.
Aqua MicroScanner works by embedding an executable and a step in the Dockerfile, which triggers a scan during the image build. This generates a report of the vulnerabilities found and suggested remediations. Optionally, the developer can choose to automatically fail a build when high severity vulnerabilities are found. This way, images that include vulnerable code are never built, allowing developers to "fail fast" and fix issues before images are stored in registries and deployed in production.
Aqua MicroScanner checks OS packages in Docker images for known vulnerabilities based on multiple aggregated sources, including NVD, vendor security advisories, and information from software developers themselves. In addition, the Aqua Security Research Team further compares and resolves the results to keep track of any updates or differences, and to eliminate false positives.