Scenario 5
Container Vulnerabilities (10–15 min):
This project is a containerized application based on Python 3.10 (Alpine) intended to be deployed via orchestration.
This project uses the upstream base image python:3.10.11-alpine3.182, which is aging and has not been updated in ages.
NOTE: This project must remain on
python3.10.X-alpine-3.XX; do not perform a MAJOR upgrade of Python or Alpine.
Implementation
- Demonstrate how your platform can scan and find vulnerabilities in the upstream container.
- Demonstrate how your platform can scan and find vulnerabilities in the resulting container.
- Demonstrate how your platform can scan and find vulnerabilities in the
Dockerfile - Demonstrate how your platform provide guidance toward resolution.
- Demonstrate how your platform implement|suggest vulnerabilities resolution (i.e.: ease of use).
# insecure-bank/.github/workflows/branch.yml
- name: Run Container Scan
id: container
run: |
echo Run Container Scan
echo "::warning::Must implement a container scanning mechanism."
shell: bash
- If your platform allows local scanning on a developer workstation prior to pushing code to the remote repository, please demonstrate how this is achieved.
- If your platform allows a "pipeless" scanning mechanism, please demonstrate how this is achieved.
- If your platform uses the CI pipeline as a scanning mechanism, make the required change in the
branch.ymlworkflow, keeping the id: container for tracking purposes.
NOTE: Use the branch
demo/containerto track changes in your fork.
What to present
Present how, once your platform is implemented, the Application Security and Developers teams can find and understand container vulnerabilities.
For example, showcase your findings for this project, how they are prioritized, and why such priorities are suggested. Explain the overall vision for how container vulnerabilities are handled within your platform.