search

Compliance & Benchmarking

Compliance and benchmarking play vital roles in securing assets - let alone containers. Let us begin by explaining compliance. Compliance is the process of following regulations and standards such as the NIST SP 800-190, a set of standards from the National Institute of Standards and Technology that gives guidance and best practices on container security:

Compliance Framework
Description
URL

NIST SP 800-190

This framework outlines the potential security concerns associated with containers and provides recommendations for addressing these concerns. https://csrc.nist.gov/publications/detail/sp/800-190/final

https://csrc.nist.gov/publications/detail/sp/800-190/finalarrow-up-right

ISO 27001

This framework is an international standard for information security. The standard guides implementing, maintaining and improving an information security management system.

https://www.iso.org/standard/27001arrow-up-right

Please note that you may have to adhere to additional frameworks relevant to your Industry. For example, financial or medical. Regulations exist in all industries. For example, in the medical field, the HIPPA for handling medical data.

Benchmarking, on the other hand, is a process used to see how well an organisation is adhering to best practices. Benchmarking allows an organisation to see where they are following best practices well and where further improvements are needed:

Benchmarking Tool
Description
URL

CIS Docker Benchmark

This tool can assess a container's compliance with the CIS Docker Benchmark framework.

https://www.cisecurity.org/benchmark/dockerarrow-up-right

OpenSCAP

This tool can assess a container's compliance with multiple frameworks, including CIS Docker Benchmark, NIST SP-800-190 and more.

https://www.open-scap.org/arrow-up-right

Docker Scout

This tool is a cloud-based service provided by Docker itself that scans Docker images and libraries for vulnerabilities. This tool lists the vulnerabilities present and provides steps to resolve these.

https://docs.docker.com/scout/arrow-up-right

Anchore

This tool can assess a container's compliance with multiple frameworks, including CIS Docker Benchmark, NIST SP-800-190 and more.

https://github.com/anchore/anchore-enginearrow-up-right

Grype

This tool is a modern and fast vulnerability scanner for Docker images

https://github.com/anchore/grypearrow-up-right

An example of using the Docker Scout tool to analyse a Docker image has been provided in the terminal below. Please note this will need to be installedarrow-up-right beforehand. You can read the Docker Scoutarrow-up-right documentation to learn more.

cmnatic@thm:~# docker scout cves local://nginx:latest
     SBOM of image already cached, 215 packages indexed
     Detected 22 vulnerable packages with a total of 45 vulnerabilities

## Overview
                           Analyzed Image         
────────────────────┼──────────────────────────────
  Target              local://nginx:latest        
    digest            4df6f9ac5341                
    platform         linux/amd64                  
    vulnerabilities     0C     1H    18M    28L   
    size             91 MB                        
    packages         215                          

## Packages and Vulnerabilities
   0C     1H     1M     3L  glibc 2.35-0ubuntu3.1
pkg:deb/ubuntu/glibc@2.35-0ubuntu3.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
     HIGH CVE-2023-4911
      https://scout.docker.com/v/CVE-2023-4911
      Affected range : <2.35-0ubuntu3.4                              
      Fixed version  : 2.35-0ubuntu3.4                               
      CVSS Score     : 7.8                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
    
     MEDIUM CVE-2023-5156
      https://scout.docker.com/v/CVE-2023-5156
      Affected range : <2.35-0ubuntu3.5                              
      Fixed version  : 2.35-0ubuntu3.5                               
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
     LOW CVE-2016-20013
      https://scout.docker.com/v/CVE-2016-20013
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
     LOW CVE-2023-4813
      https://scout.docker.com/v/CVE-2023-4813
      Affected range : <2.35-0ubuntu3.5                              
      Fixed version  : 2.35-0ubuntu3.5                               
      CVSS Score     : 5.9                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
     LOW CVE-2023-4806
      https://scout.docker.com/v/CVE-2023-4806
      Affected range : <2.35-0ubuntu3.5                              
      Fixed version  : 2.35-0ubuntu3.5                               
      CVSS Score     : 5.9                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
PreviousReviewing Docker Images

Last updated