A Pipeline Architecture for Container Security

Abstract

The use of container technologies has become increasingly popular due to advances in operating system virtualization techniques and the need for agile software development and deployment, but this has also introduced a new security challenge, ensuring the security of container-based development and deployment of applications and services in an automated manner. Securing containerized applications requires significantly different practices than securing traditional application deployments. For example, traditionally package updates and patches are applied on a running system, but due to the inherent immutable nature of container images, updates require rebuilding of container images. Furthermore, automating security pipelines for containerized applications requires the introduction of new components, such as image builders and scanners, which are not part of traditional security pipelines. Additionally, current processes for validating container security are often not fully automated. This is also apparent at Nokia Oy, where I was tasked with improving the overall container security assessment processes for container-based application deployments focusing on reducing the time spent on manual assessments, which are error-prone and struggle to keep pace with the constantly evolving security threats. In this work, an automated container security pipeline architecture is proposed and implemented. First, requirements for such a pipeline are listed and analyzed. The architecture is then designed based on the requirement analysis. The resulting pipeline uses a multi-step approach. Mainly, it uses a static container image analysis engine and a global vulnerability database to scan and discover potential vulnerabilities. It then checks whether the container image meets the organization's security standards and best practices defined as policy-as-a-code. The pipeline is implemented based on open-source tools and is integrated into the CI/CD pipeline. The effectiveness of this pipeline architecture has been tested and validated using a sample web application. The pipeline was shown to automatically discover several vulnerabilities, categorize them in terms of their severity, and decide on admitting or rejecting the application deployment based on the company's security policy. By automating container security validation, this work contributes to the ongoing efforts to strengthen the security and reliability of container deployments in dynamic and complex environments. We hope others take this work as a baseline and improve it with further utilization of event-driven approaches or use it as a data mining platform for data related to container vulnerabilities.