docker 镜像漏洞扫描
So you’ve crafted a Dockerfile
, tested your container in your development workstation, and you’re waiting for the CI/CD to pick it up. Eventually, pre-prod is updated, integration tests passed and functional testers give the green-light. Is it now time to roll-out to prod? Not so fast.
因此,您已经制作了一个Dockerfile
,并在开发工作站中测试了您的容器,然后等待CI / CD对其进行提取。 最终, 预生产产品得到更新,集成测试通过,功能测试人员获得了批准。 现在是时候推出产品了吗? 没那么快。
Docker图像层继承 (Docker Image Layers Inheritance)
Each batch of files added to an image end up creating a layer that is added to the image. Your Docker image is the concatenation of all these layers in the specific order in which they’ve originally been created.
添加到图像的每批文件最终都会创建一个添加到图像的图层。 您的Docker映像是按照最初创建它们的特定顺序来串联所有这些层的。
The same principle applies when you create an image inheriting a parent image using the FROM
directive in your Dockerfile
. Your final image will include all the layers of your parent image, augmented with the layers you’ve created yourself.
在使用Dockerfile
的FROM
指令创建继承父映像的映像时,将应用相同的原理。 最终图像将包括父图像的所有层,并增加您自己创建的层。
What if you use a parent image that also uses another parent image, that may also use another parent image, that finally uses a base image like Ubuntu or Alpine? I guess you see where this is going: You end up inheriting multiple layers of content (i.e. files and executables) from upstream images that you have never seen (let alone controlled) yourself.
如果您使用的父映像还使用了另一个父映像,也可能使用了另一个父映像,最后又使用了Ubuntu或Alpine这样的基础映像,该怎么办? 我想您会看到这种情况的发生:您最终从上游图像继承了多层内容(即文件和可执行文件),而这些图像是您自己从未见过的(更不用说控制了)。
What if a security vulnerability is included in any of these upstream layers? We’ll look next at how to detect these. But first, what exactly is a security vulnerability?
如果这些上游层中的任何一个包含安全漏洞,该怎么办? 接下来,我们将研究如何检测到这些。 但是首先,安全漏洞到底是什么?