Skip to main content

Sonatype Container Security

Sonatype Container Security is a comprehensive security solution for the entire container build time pipeline; safeguarding your containerized applications by protecting them with unmatched vulnerability detection and automatic policy enforcement during build time.

  • Integrates within CI/CD pipelines to scan and report CVE vulnerabilities within container images

  • Scan early in the development process to prevent vulnerable images from deploying

Prerequisites for Sonatype Container Security

  • A license for Sonatype Container Security is needed for support

  • MacOS or Linux

  • A running instance of the docker client

  • Environment variables as needed

Note

Container scanning using Windows OS is not supported. The Azure Devops plugin supports container security build time container: scanning, provided the agent uses macOS or Linux and the other prerequisites are met.

Windows users should refer to Docker Container Analysis)

Scanning with Sonatype Container Security

Sonatype Container Security uses the docker client to analyze the container as a scan target when using a Lifecycle scanner. Environment variables may need to be configured depending on where the image is located and which scanner you use.

Scanning a local image

This will look for an image in your local docker instance and scan it when found. This is useful for scanning images built locally and before pushing them to a registry.

Scanning a local image using the default configuration does not require setting environment variables. Use the container:<image>:<version> format as the scan target.

container:alpine:3.4

Example with the Sonatype CLI

java -jar nexus-iq-cli*.jar \
  -a admin:admin123 \
  -i test-app \
  -t build \
  -s http://localhost:8070 \
  container:alpine:3.4

Refer to the Sonatype CLI documentation for parameter details.

Scanning an application along with the container

Analyze an application and container at the same time by specifying both as targets in the CLI command. Use a space between the path to the application and the container.

/app_path container:alpine:3.4

Example with application binary and base container

java -jar nexus-iq-cli*.jar \
  -a admin:admin123 \
  -i test-app \
  -t build \
  -s http://localhost:8070 \
  ./my_application.war container:alpine:3.4

Scanning a remote image

Include the container's url to scan an image stored on a remote server. We recommend you set the registry's username and password environment variables to authenticate on the remote registry. Credentials are required for private images.

export NEXUS_CONTAINER_IMAGE_REGISTRY_USER=anyuser
export NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD=xxxxxxxxxxxxxx
java -jar nexus-iq-cli*.jar \
  -a admin:admin123 \
  -i test-app \
  -t build \
  -s http://localhost:8070 \
  container:http://registry.hub.docker.com/library/alpine:3.4

Running a scan from Jenkins

You need a running instance of Jenkins with the Sonatype Platform plugin installed and configured to run policy evaluations in Jenkins.

For this example, the scanPattern of container: is used to target the container.

  1. Create a new pipeline project in Jenkins

  2. Enter and update the example script from below into the Pipeline section

  3. Save the pipeline script and run the build in Jenkins

  4. Once complete, follow the link to the results report

pipeline {
  agent any

  stages {
    stage('Policy') {
      steps {
        nexusPolicyEvaluation (
          advancedProperties: '', 
          enableDebugLogging: false,
          failBuildOnNetworkError: false,
          iqApplication: selectedApplication('test-app'),
          iqScanPatterns: [
            [scanPattern: 'container:http://registry.hub.docker.com/library/alpine:3.4'],
            [scanPattern: '**/my_application.war']
          ], 
          iqStage: 'build',
          jobCredentialsId: ''
        )
      }
    }
  }
}

These environment variables are to set the authentication to remote servers.

Environment Variable

Example Value

NEXUS_CONTAINER_IMAGE_REGISTRY_USER

<registry_username>

NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

<registry_password>

These environment variables may be set to override the default configuration.

When using the mount path for Sonatype Container, the user requires write permissions to the location specified at the mount path. Write permission to /tmp is required when the default value is used.

Environment Variable

Default Value

NEXUS_CONTAINER_SCANNING_LICENSE

""

NEXUS_CONTAINER_SCANNING_SCANNER_IMAGE

neuvector/scanner

NEXUS_CONTAINER_SCANNING_REGISTRY_URL

https://registry.hub.docker.com

NEXUS_CONTAINER_SCANNING_REGISTRY_USER

<dockerhub username>

NEXUS_CONTAINER_SCANNING_REGISTRY_PASSWORD

<dockerhub password>

NEXUS_CONTAINER_SCANNING_MOUNT_PATH

/tmp

NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED

false

FAQs

How does Sonatype Lifecycle evaluate containers?

Sonatype Lifecycle leverages Sonatype Container Security to directly provide information about your images and registries back in the same familiar Lifecycle report, alongside other application vulnerabilities and evaluation results.

Where can I integrate Sonatype Container Security scanning into my SDLC?

Sonatype Container Security scanning in Lifecycle is currently available in the CLI and the Jenkins, Bamboo CI, and Gitlab CI plugins.

How do I configure the shared folder between the Sonatype scanner and NeuVector?

The environmental variable NEXUS_CONTAINER_SCANNING_MOUNT_PATH is used to override the shared folder that is used for the communication between the Sonatype scanner and the NeuVector container.

How can I scan with an SELinux image?

Support for the environmental variable NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED. Setting the property to true will include the ':z' option in the request allowing the bind mount content to be shared among multiple containers. This is something that is needed when using SELinux.

Details are found in the Docker documentation.

Why does the component overview page only show one version?

The component overview page only shows one version because NeuVector's provided component identity information does not include other versions of the component data.