Last updated at Mon, 08 Jul 2019 14:38:14 GMT

Container assessment has been a major focus in InsightVM for some time now. We’ve been identifying Docker hosts and running containers in the environment, assessing container images hosted in registries, and controlling the build status as part of the software development life cycle (SDLC) with our Jenkins plugin for a while.

Taking it a step further, we’re excited to release two new features to improve the flexibility of our container assessment capabilities. Our new Container Registry Sync App and Container Image Scanner for InsightVM enables organizations using on-premises registries and CI/CD tools other than Jenkins to take advantage of InsightVM’s container assessment abilities. In this post, we’ll explain how they work to provide comprehensive end-to-end container security for fast-moving companies.

Meet the new Container Registry Sync app

The Container Registry Sync app is a Docker image that collects metadata about an image within your container registry, adding the ability to assess images stored in on-premises registries.

The Container Registry Sync can be run locally where information is sent from the container image to InsightVM for assessment. This circumvents the need to allow incoming connections from the InsightVM cloud.

You can use the Container Registry Sync to:

  • Assess container images stored in on-premises registries without opening your network to InsightVM.
  • Easily manage security controls for outbound data transfer versus inbound data transfer.
  • Only send image metadata to InsightVM, so your proprietary data does not leave your network.
  • Use less bandwidth than registry connections.

During the first scan, the application will fingerprint all tagged images from a connected registry, regardless of whether it is associated with a running container. Recurring scans will run every hour by default unless otherwise designated. From there, only new fingerprints will be sent to InsightVM, meaning less data transfer and quicker results. Once fingerprints are collected, they are sent to the Rapid7 Insight platform to be immediately assessed.

Meet the Container Image Scanner

InsightVM’s Jenkins Plugin is a great way to ensure vulnerable container images never make it into production. But what if you aren’t using Jenkins? Enter the new Container Image Scanner.

This functionality—which is a container itself—is easy to leverage as part of an automated workflow for container assessment. You simply pass a container image tar file to perform an assessment and have the results sent to InsightVM.

You can use the Container Image Scanner to:

  • Automate your container image assessment workflows
  • Send assessment data to the InsightVM cloud for vulnerability analysis
  • Receive results instantly so your team can decide whether a build can proceed

You can choose to use the scanner for automated scanning of all your images built in a CI/CD pipeline, or you could also use it manually for one-off scans, depending on your needs.

Better together

While the Container Discovery, Hosted Registries integration, Jenkins Plugin, Container Registry Sync, and Container Image Scanner can be used independently, they can also be used in parallel. As a best practice, we recommend you utilize the appropriate mixture of these technologies to identify vulnerabilities while container images sit at rest in a registry and during build processes to identify vulnerable containers and stop them from getting to production, where issues could escalate. For example, using a defense in depth approach here ensures that even if a container not stored in your registry makes its way to your CI/CD workflow, it will still be evaluated before entering production.

Getting started

Being that Docker is as versatile as it is, these two features can be run on anything that can run a Docker image. Located on the Docker Hub, the Docker images integrate with your InsightVM account, pull only the information they need, and provide results quickly. There’s no on-premises installation, setup, or server maintenance required.

These images can be launched as either a persistent or semi-persistent service, or on-demand for point-in-time scans.

If you’re not yet an InsightVM customer and would like to give these features a spin before buying, sign up for a 30-day free trial here. Existing InsightVM customers can get started right away.

Start a free trial of InsightVM today

Get Started