Securing Container Images Using OpenSCAP and Atomic

Introduction

Trusting your runtime containers is crucial for widespread adoption of containers for both new systems and legacy migrations into a containerized environment. Having a secure supply chain and understanding the provenance have your container images can go a long way reducing security concerns, but it is equally important does its own security validation by looking for vulnerabilities and remediating them when found. One of the ways this can be accomplished is by the introduction of automated scanning and remediation tools into your CI/CD pipeline. There are number of good container image scanning tools including Prisma Cloud (formerly Twistlock), Anchore, and OpenSCAP. In this article we will look at using OpenSCAP to scan containers for vulnerabilities, generate a report of the findings, and then automatically fix many of those findings.

OpenSCAP

Before we looking at using OpenSCAP with container images, let’s briefly cover some background on SCAP. SCAP is the Security Content Automation Protocol from the National Institute of Standards and Technology (NIST). SCAP is a “suite of specifications for exchanging security automation content” that enables automation software to scan for security compliance of a system. Because it is a suite of specifications, it enables multiple vendors to implement tools using those specifications. The specifications are often referred to as SCAP documents. OpenSCAP is a toolkit that uses SCAP documents to scan and…