Skip to main content

Sonatype Container Scanning

What is Sonatype Container?

Sonatype Container (previously known as Nexus Container) is a Kubernetes-native security solution for all phases of the container lifecycle. It provides protection for the container network, process, and file system by scanning for vulnerabilities and compliance issues from the build, to ship, to run. Sonatype Container protects from threats like vulnerability exploits, zero-day attacks, malware, and insider attacks at Layer7.

Sonatype Container scans container images from build to production for vulnerabilities and compliance issues/misconfigurations and uses admission controls to keep vulnerable images from deploying. This lets us automatically create behavior-based security policies, enforce Data Loss Protection, and prevent zero-day malware and network attacks, tunnel breaches, and more.

Prerequisites for Sonatype Container Scanning

How does Lifecycle scan with Sonatype Container?

1. Set environment variables to link your Sonatype Container instance with Sonatype Lifecycle

Environment Variable

Default Value

NEXUS_CONTAINER_SCANNING_LICENSE

""

NEXUS_CONTAINER_SCANNING_SCANNER_IMAGE

neuvector/scanner

NEXUS_CONTAINER_SCANNING_REGISTRY_URL

https://registry.hub.docker.com

NEXUS_CONTAINER_SCANNING_REGISTRY_USER

<dockerhub username>

NEXUS_CONTAINER_SCANNING_REGISTRY_PASSWORD

<dockerhub password>

NEXUS_CONTAINER_SCANNING_MOUNT_PATH *

/tmp

NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED

false

* The user requires write permissions to the location specified NEXUS_CONTAINER_SCANNING_MOUNT_PATH. Write permission to /tmp is required when the default value is used.

Image Scanning

To scan an image, set the required environment variables for the registry credentials where the image to be scanned is located.

The following properties are optional when the image is publicly accessible.

Environment Variable

Example Value

NEXUS_CONTAINER_IMAGE_REGISTRY_USER

<registry_username>

NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

<registry_password>

2. Execute a scan via the Sonatype CLI scanner or as a build step (with any supported integration tool) by including a target prefixed with “container:”

Running a scan from the Sonatype CLI

1. Navigate to the folder that has the Sonatype CLI.

2. Run the Sonatype CLI. Refer to the examples below:

Example 1 - Scanning a Remote Image:

java -jar nexus-iq-cli.jar -i <your app> -s http://localhost:8070 -a admin:admin123 -t develop container:http://registry.hub.docker.com/library/alpine:3.4

The example above uses release 120 of the Sonatype CLI. `test-app` is the name of the application we are running the evaluation against, `localhost:8070` is the location of our Lifecycle Server, `admin:admin123` are our login credentials, and `container:` means we are scanning a container image.

Example 2 - Scanning a Local Image:

java -jar nexus-iq-cli.jar -i <your app> -s http://localhost:8070 -a admin:admin123 container:alpine:3.4

This will look for an image alpine:3.4 in your local instance and scan it if found. This is useful for scanning images built locally and before pushing it to a registry after a build.

Once the scan is complete, you’ll see a link to the results report in your CLI. Copy the link and then paste it into your browser to access the scan results.

Note

You can view container and application scan results in the same view by specifying both as targets in the same CLI command. For example:

java -jar nexus-iq-cli.jar -i <your app> -s http://localhost:8070 -a admin:admin123 -t develop /path/to/application container:<image>

Running a scan from Jenkins

You need a running instance of Jenkins with the Sonatype Platform plugin installed and configured to run policy evaluations in Jenkins.

For this example, test-app is the name of the application we are running the evaluation against, and the scanPattern of container: means we are scanning a container image (alpine 3.4 in the example).

Steps to configure:

  1. Open Jenkins, and create a new pipeline project.

  2. In the Pipeline section, enter the example script from below.

  3. Save the pipeline script and then kick off your build in Jenkins.

  4. Once the job is done, you’ll see a link to the results report.

  5. Open the link in your browser to access the scan results.

pipeline {
    agent any

    stages {
        stage('Policy') {
            steps {
     nexusPolicyEvaluation (
            advancedProperties: '', 
        enableDebugLogging: false,
                    failBuildOnNetworkError: false,
                    iqApplication: selectedApplication('test-app'),
                    iqScanPatterns: [[scanPattern: 'container:http://registry.hub.docker.com/library/alpine:3.4']], 
        iqStage: 'develop',
                    jobCredentialsId: ''
     )
            }
        }
    }
}

Analyze Evaluation results

When scanning container images or registries, Sonatype Lifecycle applies all configured policies and gives you a breakdown, as it would in any other application. The report contains information on the application layers and provides a breakdown in terms of the container vulnerabilities, and how you can resolve vulnerabilities.

Container and application results in the same view.
example Vulnerability Details window

The report shows you the components identified, customized policy violations, and a detailed bill of materials, and will also automatically kick off notifications if that feature is enabled.

FAQs

How does Sonatype Lifecycle evaluate containers?

Sonatype Lifecycle leverages Sonatype Container intelligence to directly provide information about your images and registries back in the same familiar Lifecycle report, alongside other application vulnerabilities and evaluation results.

Where can I integrate Sonatype’s container scanning into my SDLC?

Sonatype Container scanning in Lifecycle is currently available in the CLI and the Jenkins, Bamboo CI, and Gitlab CI plugins.

How do I configure the shared folder between the Sonatype Scanner and Neuvector?

The environmental variable NEXUS_CONTAINER_SCANNING_MOUNT_PATHcan be used to override the shared folder that is used for the communication between the Sonatype Lifecycle scanner and the Neuvector container. It defaults to /tmp if it is not provided.

How can I scan with an SELinux image?

We added support for a new environmental variable NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED. Setting the property to true will include the ':z' option in the request allowing the bind mount content to be shared among multiple containers. This is something that is needed when using SELinux.More details about this can be found in the Docker documentation.