Skip to main content

Firewall for Docker

Modern software development relies on Docker containers for their portability and efficiency. As organizations adopt containers, ensuring their compliance with internal security policies is critical. Repository Firewall supports policy enforcement capabilities to containerized applications.

Traditional security scanners lack the ability to actively prevent vulnerable containers from being downloaded to your development environments, leaving a critical gap in your security posture while they perform their analysis.

Repository Firewall analyzes and quarantines Docker containers as they are requested through your container proxy repository, ensuring that only trusted and compliant images are used throughout your development and deployment pipelines.

Benefits of Firewall for Docker

  • Automatic Policy Enforcement for Docker

    Extend your existing Repository Firewall policies to Docker container images by automatically evaluate incoming container images against your policies.

  • Preventing Risky Deployments

    Repository Firewall actively quarantines Docker images that violate your policies, preventing them from being downloaded by developers or deployed to your environments.

  • Streamlined Developer Workflow

    Developers receive immediate feedback on policy violations in the requested Docker images, identifying the specific components within a container that trigger a violation. This enabling them to address issues early in the development cycle, reducing costly rework and accelerating secure software delivery.

  • Simplified Waiver Management

    As individual violations in containers are not addressed by your development teams, failing violations may be waived with a single action for a specific container image. This significantly speeds up the review and approval process for accepting container risk.

Enabling Firewall for Docker

  • Audit and Quarantine

    Audit and quarantine for Firewall for Docker is enabled as you would any other repository.

    See Repository Firewall Getting Started

  • Containers Dashboard

    Repository Firewall includes a unique dashboard for managing your containers and their violations.

    See Containers Dashboard

  • Enable Containerd

    We recommend enabling containerd on your clients to receive the clear custom error response which includes the link to the Docker image report. Clients based on dockerd receive a generic error that looks like a permission error when encountering a quarantined image.

    See Using containerd vs dockerd

  • Optimizing the Container Analysis

    You may greatly reduce the time for each container analysis by following these recommendations for optimizing the temporary directory of Nexus Repository architecture.

    See Optimizing the Container Analysis

Container Analysis Workflow

Repository Firewall performs the following when when a new Docker image is requested from a protected proxy repository. There is a delay in pulling down the container for the first time to allow for the scan to happen.

  1. Analyze the Container Manifest

    Generate a manifest of components found in the container and analyze the manifest for known risk. Repository Firewall's Audit and Quarantine capability must be configured on the Docker proxy repository before requesting an image to analyze.

    See Firewall Audit and Quarantine Capability

  2. Quarantine Risky Containers

    Quarantine the container from being downloaded when a component found in the container has at least one failing violation. Repository Firewall will quarantine containers with a policy violation set to fail on the proxy stage. When a container is quarantined it will not be available for download from the proxy repository.

    See Firewall Quarantine

  3. Containers Dashboard

    Report the status of the container in the containers dashboard.

    See Containers Dashboard section below

  4. Container Report

    Compile a comprehensive violation report of the containers' components.

    See Container Report section below

  5. Waive All Failing Violations

    When viewing the container report, use the button for single-click remediation of any failing violations by your security team to release the container from quarantine. Once released, future requests for the image are downloaded through the proxy.

Supported Functionality

  • Docker for Containers over 90% of images on Docker Hub

    Docker schema 2 (both single and multi-architecture). Does not support scanning OCI or schema 1 at this time.

  • Sonatype does not ingest or retain container data

    The container analysis is performed by temporarily downloading the container locally to the Nexus Repository at the time of the request using Sonatype's built in toolings to precisely identify open source components found in the container.

  • Support proxies of any container registry in Nexus Repository

    Supports containers when proxied from any proxy repository in Nexus Repository, not just Docker Hub. Due to the complexity of analyzing containers, this feature is not supported in Firewall for Artifactory.

Optimizing the Container Analysis

Internal testing has found significant performance differences when running Firewall for Docker depending on the environment used for Nexus Repository. Container analysis occurs locally to the server in a temporary directory and the type of storage used may introduce latency and poor throughput under load. Network-attached or shared file systems such as EFS are likely to result in degraded performance.

  • The best observed performance is when the temporary directory is backed by a local disk.

  • In HA environments, each node requires a dedicated local disk for the temporary scan directory.

  • Customize the temporary directory by setting the following property in the nexus.properties file.

    nexus.firewall.container.workdirectory

    Nexus Repository chooses the tmp directory in your sonatype-work by default. You do not need to change this when the directory is already sitting on a local disk.

    See Configuring the Runtime Environment

Containers Dashboard

Containers analyzed and quarantined are displayed in the containers dashboard view. Selecting a container from this view opens the Container Report.

fw-dashboard-container-view.png

  • Threat / Policy: The highest policy violation found from components in the container

  • Quarantine Time: Timestamp of when the container analysis was performed.

  • Container: The repository path, namespace, image, and tag for the container.

  • Repository: The repository protected by Repository Firewall where the container was requested. Selecting the repository opens the repository results view.

    See Repository Results View

Repository Results for Containers

Similar results to the Container Docker dashboard however the results are only for the repository where the containers are requested.

fw-containers-repository-results.png

Use the filters and navigation to search through the containers analyzed by Repository Firewall.

Container Report

The container report is an audit of all of the components found in the container along sorted by the threat level of the policy violations of the components. When configured to aggregate by components only the highest risk policy violation is shown for the component. A given component many have multiple failing violations that are causing the container to be quarantined.

fw-container-report-view.png

  • Threat/Policy Name: The policy violation with the highest threat risk when aggregated by components.

  • Component: Selecting the component name will navigate to the Component Details Page where you may view the metadata associated with the component and all policy violations. Policy violations may be waived individually or by all violations for the container.

    See Component Details Page

  • Waive All Fail Policy Violations: use this button to waive the violations causing the container to be quarantined.

Waive All Failing Violations

To release a container from quarantine, all of the policy violations set to fail at the proxy level for this repository must have a waiver applied. Waivers may be reviewed and added to each individual violation during a security audit or accepted all at once to release a container critical to your build pipeline.

Consider the following when applying waivers to container violations.

  • The failing violations are listed at the top of the waiver view for reference. These violation may be viewed in detail by navigating back to the container report view and reviewing the component causing the violation.

  • As a best practice, apply a waiver reason and comments as to why the container was waived.

  • The API may be used to waive all failing violations for a container using a single endpoint.

    See Firewall APIs

fw-container-waiver-review.png

Using containerd vs dockerd

The "Use containerd for pulling and storing images" option changes Docker Desktop's underlying image management architecture:

  • When checked (containerd mode): - Uses containerd directly for image operations - Bypasses the traditional Docker daemon for registry interactions - containerd handles HTTP responses from registries more transparently

  • When unchecked (traditional mode): - Uses the legacy Docker daemon architecture - Docker daemon intercepts and processes registry responses - May transform/mask specific error details

This behavior differs as containerd preserves the original HTTP response body from Repository Firewall, showing the detailed quarantine message. The traditional Docker daemon appears to interpret any non-200 response as a generic authentication failure and replaces the specific firewall error with the following:

unauthorized: access to the requested resource is not authorized

This suggests containerd has better error transparency for registry interactions, while the Docker daemon applies more aggressive error normalization that can mask useful debugging information.