Assess Containers During Software Builds with InsightVM

Last updated at Wed, 10 May 2023 19:25:01 GMT

Keeping the modern environment secure is difficult—and container security is a major contributor to this challenge. To help, we recently released the InsightVM Container Assessment CI/CD Plugin. Built to work with Continuous Integration/Continuous Deployment (CI/CD) tools such as Jenkins, this plugin leverages InsightVM to assess containers during a software build.

Identify risk in your containers before they get to production

Between the typically constricted communication between IT, security, and development teams and the ease of spinning up new containers, new services are often deployed without the security team even knowing. However, containers that are pushed to production without being assessed can be a major threat to an organization’s data, system stability, and overall risk.

Improving communication among teams requires breaking down the silos between IT, security, and development. We call this the practice of SecOps. One manifestation of these principles is getting security teams involved in an earlier stage of the software development life cycle (SDLC) by assessing containers for vulnerabilities and using InsightVM as part of the build process. This provides shared visibility across teams and allows for the proactive mitigation of risk before the container goes to production.

Beyond reducing the likelihood of a breach, this also helps organizations prevent downtime, which can occur when container vulnerabilities are leveraged by attackers and when systems need to be retroactively taken offline to address identified weaknesses. Ensuring business continuity and saving time means cost savings for your organization as well.

InsightVM integrates with container registries and assesses the images they store. With the introduction of the InsightVM Container Assessment CI/CD plugin, it is now possible to automatically assess container images before they make it to production, or even to a container registry and are accessed—and possibly downloaded and copied—by your global team. This plugin also provides additional coverage for containers that are not stored in a connected registry but are part of a CI/CD build. We recommend leveraging both solutions simultaneously.

InsightVM Container Assessment CI/CD plugin

To get started with the InsightVM Container Assessment CI/CD plugin, ensure you are using the latest version of InsightVM, follow the setup instructions, and get the plugin from here.

During the setup process, you will configure the thresholds for the plugin, which allows you to determine the stringency appropriate for your organization and whether you will leverage the plugin as a guardrail or gate.

Any assessment performed by the plugin can result in one of the three following build actions:

1. Failed
2. Unstable
3. Passed

You can establish when these build actions are returned by configuring one or many of the thresholds criteria pictured above. For example, they could be triggered if the CVSS V2 score, number of exploitable vulnerabilities, or the Real Risk Score for the container image exceed the thresholds you set.

The appropriate build action to take when the threshold is crossed will depend on your security program.

• To use the plugin as a guardrail: Configure your threshold rules to use the build action of Unstable. When the thresholds are crossed, warnings will be issued and viewable in both InsightVM and Jenkins, but the build will complete.
• To use the plugin as a gate: Set the build actions to Failed. If any of your thresholds are crossed, the Jenkins build will be terminated.

With the plugin installed and your thresholds configured, you will now be able to see the assessment of your container images in the build interface of InsightVM (and Jenkins).

In InsightVM, you can view the rich details of each build job that is leveraging the plugin. When you drill into a build, you have the ability to see how builds have stacked up to any of the threshold criteria over time.

You can also examine how your build compliance compares to each threshold you set.

Containers can be complex from a technology perspective and are often extremely complicated from a human perspective. They uniquely span the responsibilities of all three of the key stakeholders for an effective security program: IT, security, and development. Bringing the security team in earlier in the SDLC is key to breaking down the silos among these teams and encouraging collaboration.