By 2022, more than 75% of global organizations will be running containerized applications in production (Gartner). Alongside the widespread adoption, there has been a surge in container vulnerabilities, with a 4X increase in reported operating system vulnerabilities in 2018. And yet 80% of developers say they don’t test their container images during development – it’s either not their responsibility, or they are accustomed to someone down the road catching the issues – which makes scaling container security a challenge for fast-growing businesses.
In this module we will learn how to secure your build workflow on Bitbucket Pipes with Snyk. Scanning and analyzing your Linux-based container project for known vulnerabilities is an important step in securing your environment by helping you identify and mitigate security vulnerabilities. The exercises in this module will help secure your container by leveraging the Snyk Pipe for Bitbucket pipelines to scan the base image for its dependencies including:
The operating system (OS) packages installed and managed by the package manager
Key binaries—layers that were not installed through the package manager
Based on these results, Snyk will provide fix advice and guidance including:
Origins of the vulnerabilities in your OS packages and key binaries
Base image upgrade details or a recommendation to rebuild the image
Dockerfile layer in which the affected package was introduced
Fixed-in version of the operating system and key binary packages
Lastly, you will enable Snyk's integration for Amazon Elastic Container Registry (ECR) to continuously scan and monitor your container images.
*Snyk Blog - Putting container security in the hands of developers