In this article, I’ll demonstrate developing a continuous integration and continuous delivery (CI/CD) pipeline using AWS Developer Tools, along with Aqua Security‘s open resource container vulnerability scanner, Trivy. You’ll create two Docker pictures, one with vulnerabilities and something without, to understand the capabilities of Trivy and how exactly to send all vulnerability details to AWS Security Hub.

If you’building modern applications re, you might be using containers, or have attempted them. A container is really a standard solution to package your program’s program code, configurations, and dependencies right into a single item. As opposed to virtual machines (VMs), containers virtualize the operating-system compared to the server rather. Thus, the images are usually orders of magnitude smaller sized, plus they quickly start up a lot more.

Like VMs, containers have to be scanned for vulnerabilities and patched like appropriate. For VMs working on Amazon Elastic Compute Cloud (Amazon EC2), you may use Amazon Inspector, a managed vulnerability evaluation service, and patch your EC2 instances as needed then. For containers, vulnerability administration is really a little different. Of patching instead, you ruin and redeploy the container.

Several container deployments use Docker. Docker uses Dockerfiles to define the commands you utilize to create the Docker image that types the foundation of your container. Of patching set up instead, you rewrite your Dockerfile to indicate more up-to-date base pictures, dependencies, or both also to rebuild the Docker picture. Trivy tells you which dependencies in the Docker picture are vulnerable, and which edition of these dependencies are more time vulnerable no, enabling you to quickly know very well what to patch to access a secure state back again.

Solution architecture

Amount 1: Solution architecture

Here’s the way the solution works, seeing that shown in Figure 1:

1. Developers push Dockerfiles along with other code to AWS CodeCommit.
2. AWS CodePipeline automatically begins an AWS CodeBuild build that runs on the build specification file to set up Trivy, create a Docker picture, and scan it during runtime.
3. AWS CodeBuild pushes the construct logs in close to real-time to an Amazon CloudWatch Logs team.
4. Trivy scans for several vulnerabilities and sends them to AWS Security Hub, of severity regardless.
5. If zero critical vulnerabilities are located, the Docker images are usually deemed to possess passed the scan and so are pushed to Amazon Elastic Container Registry (ECR), in order to be deployed.

Note: CodePipeline supports different resources, such as for example Amazon Simple Storage Service (Amazon S3) or GitHub. If you’re more comfortable with those ongoing services, feel absolve to substitute them because of this walkthrough of the perfect solution is.

To deploy the answer quickly, you’ll make use of an AWS CloudFormation template to deploy just about all needed services.

Prerequisites

1. You will need to have Security Hub enabled in the AWS Region where you deploy this solution. In the AWS Management Console, head to AWS Safety Hub, and choose Enable Protection Hub.
2. You will need to have Aqua Security integration enabled inside Security Hub in your community where you deploy this solution. To take action, visit the AWS Safety Hub gaming console and, on the remaining, select Integrations, seek out Aqua Security, and select Accept Results.

Setting up

For this phase, you’ll deploy the CloudFormation template and carry out preliminary set up of the CodeCommit repository.

1. Download the CloudFormation template from GitHub and develop a CloudFormation stack. To learn more on how to develop a CloudFormation stack, see Getting Started with AWS CloudFormation.
2. After the CloudFormation stack completes, visit the CloudFormation console and choose the Resources tab to start to see the sources created, as shown in Figure 2.

Setting upward the CodeCommit repository

CodeCommit repositories need a minumum of one document to initialize their get better at branch. Without a document, you can’t work with a CodeCommit repository as a supply for CodePipeline. To produce a sample file, perform the following.

1. Move to the CodeCommit console and, in the still left, select Repositories, and select your CodeCommit repository.
2. Scroll to underneath of the page, choose the Add Document dropdown, and choose Create document then.
3. In the Create a file screen, enter readme in to the text body, title the file readme.md, enter your name while Author name as well as your Email address, and select Commit modifications, as shown inside Figure 3.
   Figure 3: Developing a file inside CodeCommit

Simulate the vulnerable image construct

For this phase, you’ll create the required files and put them to your CodeCommit repository to start out an automated container vulnerability scan.

1. 1. Download the buildspec.yml file from the GitHub repository.
      

      Note: Inside the buildspec.yml program code, the ideals prepended with $ will undoubtedly be populated by the CodeBuild environment variables you created previous. Also, the command trivy -f json -o outcomes.json –exit-code 1 will fail your construct by forcing Trivy to come back an exit program code 1 upon getting a critical vulnerability. You can include additional severity levels right here to push Trivy to fail your builds and guarantee vulnerabilities of lower intensity are not released to Amazon ECR.

   2. Download the python code document sechub_parser.py from the GitHub repository. This script parses vulnerability information from the JSON document that Trivy generates, maps the info to the AWS Security Finding Format (ASFF), and imports it to Protection Hub then.
   3. Following, download the Dockerfile from the GitHub repository. The program code clones a GitHub repository preserved by the Trivy group which has purposely vulnerable deals that generate essential vulnerabilities.
   4. Go back again to your CodeCommit repository, choose the Add document dropdown menu, and choose Upload document then.
   5. In the Upload file display screen, select Choose document, choose the build specification you merely created (buildspec.yml), complete the Commit changes to grasp section with the addition of the Author title and E-mail address, and choose Commit adjustments, as shown inside Figure 4.

Figure 4: Uploading the file to CodeCommit

• To upload your sechub_parser and Dockerfile.py script to CodeCommit, repeat steps 4 and 5 for every of the files.
• Your pipeline begins in reaction to every new invest in your repository automatically. To check on the status, visit the pipeline status view of one’s CodePipeline pipeline back.
• When CodeBuild begins, select Details in the Build phase of the CodePipeline, under BuildAction, to visit the Build area on the CodeBuild system. To see a blast of logs as your develop progresses, select Tail logs, as shown in Body 5.

  

  Amount 5: CodeBuild Tailed Logs

• After Trivy provides finished scanning your image, CodeBuild shall fail because of the critical vulnerabilities found, as shown in Physique 6.
  

  Be aware: The order specified inside the post-build stage can run even though the CodeBuild construct fails. That is by style and allows the sechub_parser.py script to perform and send findings to Security Hub.

  

  Figure 6: CodeBuild logs failing

You’ll today head to Security Hub to investigate the results and create saved looks for future use further.

Analyze container vulnerabilities inside Security Hub

For this phase, you’ll analyze your container vulnerabilities within Security Hub and utilize the findings view to find info within the ASFF.

1. 1. Move to the Safety Hub gaming console and select Integrations inside the left-hand routing pane.
   2. Scroll right down to the Aqua Protection integration cards and choose See results, as shown inside Figure 7. This filter systems to only Aqua Safety product results in the Results view.
      Determine 7: Aqua Security integration card
   3. You should now see critical vulnerabilities from your own previous scan in the Findings view, as shown in Figure 8. To see additional information of a finding, choose the Title of the vulnerabilities, and you may see the information in the proper side of the Findings view.
      Number 8: Security Hub Findings pane

      Note: Within the Results view, it is possible to apply quick filter systems by checking the container next to certain areas, although you won’t do this for the alternative in this post.

   4. To open a fresh tab to an internet site about the Standard Vulnerabilities and Exposures (CVE) for the finding, choose the hyperlink within the Remediation section, mainly because shown in Figure 9.

      

      Figure 9: Remediation details

      Notice: The areas shown in Figure 9 are usually dynamically populated by Trivy inside its native output, and the CVE website may vary from vulnerability to vulnerability greatly.

start to see the JSON of the entire ASFF

1. To, at the top best of the Findings view, choose the hyperlink for Finding ID.
2. To find info mapped from Trivy, like the CVE name and what the patched version of the vulnerable package deal is, scroll right down to the Additional section, simply because shown in Figure 10.

   

   Shape 10: ASFF, additional

This was a short demonstration of exploring findings with Protection Hub. You may use custom actions to define reaction and remediation actions, such as for example sending these findings to a ticketing program or aggregating them inside a security details event administration (SIEM) tool.

Push a non-vulnerable Dockerfile

Now that you’ ve noticed Trivy perform with a vulnerable picture correctly, you’ll fix the vulnerabilities. Because of this phase, you’ll modify Dockerfile to eliminate any vulnerable dependencies.

1. Open a textual content editor, paste in the program code proven below, and conserve it as Dockerfile. It is possible to overwrite your previous illustration if desired.

   
   FROM alpine:3.7
   RUN apk increase --no-cache mysql-client
   ENTRYPOINT ["mysql"]
           

2. Upload the brand new Dockerfile to CodeCommit, like shown previous in this article.

Clean up

In order to avoid incurring additional fees from working these ongoing services, disable Security Hub and delete the CloudFormation stack right after you’ve finished evaluating this answer. This can delete all assets created in this post. Deleting the particular CloudFormation stack shall not really take away the findings in Safety Hub. If you don’t disable Security Hub, it is possible to archive those results and wait 3 months to allow them to be fully taken off your Security Hub example.

Conclusion

In this article, you learned how exactly to develop a CI/CD Pipeline with CodeCommit, CodeBuild, and CodePipeline for scanning and building Docker pictures for critical vulnerabilities. You also used Protection Hub to aggregate scan results and take action on your own container vulnerabilities.

You now have the abilities to generate similar CI/CD pipelines with AWS Developer Tools also to perform vulnerability scans in your container build procedure. Using these reports, it is possible to efficiently identify CVEs and use your developers to utilize up-to-time binaries and libraries for Docker images. To create upon this solution more, you can modification the Trivy orders in your create specification to fall short the builds on various severity levels of discovered vulnerabilities. As your final suggestion, you may use ECR as a source for a downstream CI/CD pipeline in charge of deploying your newly-scanned pictures to Amazon Elastic Container Service (Amazon ECS).

When you have feedback concerning this post, submit remarks in the Comments section below. Should you have questions concerning this post, start a brand-new thread on the AWS Security Hub forum or contact AWS Support.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.