Container Protection
Introduction
As the cloud environment shifts to more reliant on DevOps and continuous integration, container security becomes a crucial part in securing the container registries against cyber threats. When vulnerabilities are found on deployed images in container registries, fixes and patches sometimes cannot catch up to speed on how these loopholes may affect the entire software ecosystem. The most effective way to mitigate the risk is to identify the vulnerabilities before the images are deployed to container registries.
Container Protection provides both scan on build and regularly scan on registry approach in detecting the image vulnerabilities. Compliance audits are regularly performed on clusters to detect non-compliant audits and give recommendations on the fixes.
Registry Image Scan
Container Protection offers vulnerability image scan on either private cloud or supported container based platforms such as Amazon EKS, Google GKE, Azure AKS, Harbor, and Openshift. The integrated scanner analyzes the container images through Common Vulnerability and Exposure (CVE). Common Vulnerability and Exposure is a list of publicly disclosed computer security flaw maintained through U.S National Vulnerability Database, CERT Vulnerability Notes Database, and other vendors. The vulnerability image scan result is interpreted with risk scores based on the severity of the vulnerability found.
For more details, see Container Image.
Security Integration with CI/CD Process
Kubernetes Agent deployed on Kubernetes Cluster and FortiCWP Jenkins Plug-in are leveraged to provide image scanning capability when images are just created before they are deployed. Container Protection offers customizable CI/CD Integration policies that only images below preconfigured vulnerability severity threshold would be deployed to the container registries.
For more details, see CI/CD Integration Protection.
Kubernetes Cluster Compliance Audit
Container Protection performs compliance audit on Kubernestes Cluster using CIS Kubernetes Benchmarks. CIS Kubernetes Benchmark is released by Center of Internet Security (CIS). CIS Kubernetes Benchmark is a set of security best practices recommended for Kubernetes Cluster. When Kubernetes Cluster is found to be non compliant with a CIS Kubernetes Benchmark policy, Container Protection provides either manual or auto remediation solution for the non-compliant setting.
For more details, see Compliance Assessment.