๐ŸŽŸ๏ธ GH ๋ฌธ์ œ๊ฐ€ ์žˆ๋Š” Docker ์ด๋ฏธ์ง€ ๋ณด์•ˆ ์Šค์บ” ์ž๋™ํ™”

7905 ๋‹จ์–ด devsecopsdevopsdockerinfosec

โ˜๏ธ ์ปจํ…์ŠคํŠธ



Docker ์ด๋ฏธ์ง€ ๋ณด์•ˆ์€ ๊ณ„์†ํ•ด์„œ ์ฆ๊ฐ€ํ•˜๋Š” ์ถ”์„ธ์ž…๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์ถ”์„ธ ์ด์ƒ์œผ๋กœ ์ด๋ฏธ์ง€ ๋ณด์•ˆ์— ๋Œ€ํ•œ ์ ์ ˆํ•œ ํŒŒ์ดํ”„๋ผ์ธ์„ ๋‹ฌ์„ฑํ•˜์ง€ ๋ชปํ•˜๋ฉด ์žฌ์•™์„ ์ดˆ๋ž˜ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋ฅผ ๋‹ฌ์„ฑํ•˜๊ธฐ ์œ„ํ•ด ๋‹ค์Œ ์ „๋žต์„ ์ฑ„ํƒํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๊ณ ๋„๋กœ ์•ˆ์ „ํ•˜๊ฒŒ ์œ ์ง€ ๊ด€๋ฆฌ๋˜๋Š” ์ด๋ฏธ์ง€ ์‚ฌ์šฉ
  • ์ข…์†์„ฑ ๊ด€๋ฆฌ์— ์ฃผ์˜ํ•˜๊ธฐ

  • ์ข…์†์„ฑ ๊ด€๋ฆฌ๋Š” DependaBot ๋•๋ถ„์— ๊ด€๋ฆฌ๋˜๋ฉฐ ๊ฑฐ์˜ "์ฆ‰์‹œ ์‚ฌ์šฉ ๊ฐ€๋Šฅ"ํ•ฉ๋‹ˆ๋‹ค.

    ๋„์ปค ์ด๋ฏธ์ง€์˜ ๊ฒฝ์šฐ ๋” ๋งŽ์€ ์ž‘์—…์ด ์žˆ์Šต๋‹ˆ๋‹ค.

    ๐Ÿ‘‰ ์ด ์งง์€ ๊ฒŒ์‹œ๋ฌผ์—์„œ๋Š” ๋ฆฌํฌ์ง€ํ† ๋ฆฌ ์ค‘์‹ฌ ๋ฐ CI ๊ธฐ๋ฐ˜์˜ ํšจ์œจ์ ์ธ ์ ‘๊ทผ ๋ฐฉ์‹์„ ์–ด๋–ป๊ฒŒ ๊ตฌํ˜„ํ–ˆ๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

    ๐Ÿ“ ๊ตฌํ˜„



    ๋„์ปค ์ด๋ฏธ์ง€ ์Šค์บ”์˜ ๊ฒฝ์šฐ Container Scan (GitHub Action)์—์„œ ์œ ์ง€ ๊ด€๋ฆฌํ•˜๋Š” Anchore์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

    Then we wrapped some CI around it so we can monitor security as part of our daily activities.



    โฐ ์Šค์บ” ์˜ˆ์•ฝ



    ๋จผ์ € ์˜ˆ์•ฝ๋œ ์Šค์บ”์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ฝ”๋“œ ์•„๋ž˜์—์„œ latest ํƒœ๊ทธ๋ฅผ ์Šค์บ”ํ•ฉ๋‹ˆ๋‹ค.

    name: ๐Ÿ›ก๏ธ Scan Docker image latest ๐Ÿณ
    
    on:
      schedule: ## Schedule the job to run at a particular time.
        - cron:  '0 1 * * 1' ## every monday at 1:00AM
    

    ๐Ÿ’ฅ ์‹ฌ๊ฐ๋„ ์ปท์˜คํ”„ ์‚ฌ์šฉ



    ๋‹ค์Œ์œผ๋กœ ์ค‘์š”ํ•œ ์ทจ์•ฝ์ ์ด ๋ฐœ๊ฒฌ๋œ ๊ฒฝ์šฐ ์˜ˆ์•ฝ๋œ ์ž‘์—…์ด ์‹คํŒจํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.



    ์•„๋ž˜severity-cutoff ๊ตฌํ˜„ ์ฐพ๊ธฐ:

    jobs:
      scan:
        name: ๐Ÿ›ก๏ธ Scan image latest
        runs-on: ubuntu-latest
        steps:
          - uses: anchore/scan-action@v3
            id: scan
            with:
             image: optnc/domaine-nc-api:latest
             fail-build: true
             severity-cutoff: critical
    

    ๐ŸŽซ ๋ฌธ์ œ ์ƒ์„ฑ(๋˜๋Š” ์—…๋ฐ์ดํŠธ)



    ๋‹ค์Œ์œผ๋กœ ์Šค์บ” ์ž‘์—… ์‹คํŒจ ์‹œ ๋ฌธ์ œ๋ฅผ ์ƒ์„ฑํ•˜๋ ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค(critical ๋ณด์•ˆ ๋ฌธ์ œ๊ฐ€ ๋ฐœ๊ฒฌ๋˜์—ˆ์Œ์„ ์˜๋ฏธ).

    ์šฐ๋ฆฌ๊ฐ€ ์›ํ•˜๋Š” ๊ฒƒ์€ ์ ์ ˆํ•˜๊ฒŒ ํƒœ๊ทธ๊ฐ€ ์ง€์ •๋œ ๋ฌธ์ œ๋ฅผ ๊ฐ€์ ธ์™€ ์ผ์ƒ ์—…๋ฌด์˜ ์ผ๋ถ€๋กœ ๊ด€๋ฆฌํ•˜๊ณ  ๋ณด๊ณ ์„œ๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

    ๋”ฐ๋ผ์„œ ์šฐ๋ฆฌ๋Š”:
  • ์ผ๋ถ€labels๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค(๋”ฐ๋ผ์„œ ํ•„ํ„ฐ๋ง์ด ๋” ์‰ฌ์›Œ์ง‘๋‹ˆ๋‹ค), ์˜ˆ: security , docker-scan'
  • ๋งค์ผ ๋™์ผํ•œ ๋ฌธ์ œ๋ฅผ ๋Œ€์ƒ์œผ๋กœ ํ•˜๋Š” ์ˆ˜๋งŽ์€ ๋ฌธ์ œ๋ฅผ ๊ฐ€์ ธ์˜ค๋Š” ๋Œ€์‹  ๋ฌธ์ œ๊ฐ€ ์—…๋ฐ์ดํŠธ๋˜๋„๋ก ์ด๋Ÿฌํ•œ ํŠน์ • ๋ ˆ์ด๋ธ”๊ณผ ์ผ์น˜ํ•˜๋Š” ์ตœ๊ทผ์— ์—ด๋ฆฐ ๋ฌธ์ œ์— ๋Œ€ํ•œ ์ฐธ์กฐ๋ฅผ ๊ฐ€์ ธ์˜ต๋‹ˆ๋‹ค.
  • ๋ชจ๋“  ์š”์†Œ๋ฅผ โ€‹โ€‹ํ•œ ๊ณณ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ์Šค์บ” ๋ณด๊ณ ์„œ๋ฅผ ๋ฐ›์•„ ๋ฌธ์ œ์— ๋„ฃ์Šต๋‹ˆ๋‹ค.

  • ์•„๋ž˜ ์ฝ”๋“œ๋ฅผ ์ฐพ์œผ์‹ญ์‹œ์˜ค.

     - name: Create/Update an issue of vulnerabilities ๐Ÿ›ก๏ธ that have been detected
            if: ${{ failure() }}
            uses: actions/github-script@v6
            with:
              debug: true
              script: |
                const { owner, repo } = context.repo;
                const labels = ['security', 'docker-scan', 'Alert : Docker image scan'];
    
                // rรฉcupรฉration de l'id de la derniรจre issue (si existante)
                const existingIssue = (await github.paginate(github.rest.issues.listForRepo.endpoint.merge({
                  owner, repo, state: 'open',labels
                }))).filter(i => i.title.indexOf('Docker image security scan') !== -1)[0];
    
                // crรฉation ou modification de l'issue
                const body = `Workflow failed for commit ${{github.sha}}.        
    
                Following vulnerabilities have been detected :
                \`\`\`
                ${{ steps.scan_report.outputs.report }}
                \`\`\`
                    `;
    
                if (existingIssue) {
                  github.rest.issues.update({ owner, repo, issue_number: existingIssue.number, body });
                } else {
                  github.rest.issues.create({
                    owner, repo,
                    title : '๐Ÿ›ก๏ธ Docker image security scan failed ๐Ÿ›ก๏ธ',
                    body,
                    labels
                  });
                }
    

    ๐Ÿ‘ฎ ๊นจ๋—ํ•œ ๋ฌธ์ œ๋ฅผ ์ฆ๊ธฐ์‹ญ์‹œ์˜ค



    ๊ทธ๋Ÿฐ ๋‹ค์Œ CI์—์„œ ๋งค์šฐ ์œ ์šฉํ•œ ๋ฌธ์ œ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋„๋ก ์„ค์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค.


    ๐ŸŽ€ ๋ณด๋„ˆ์Šค



    ๋ฌธ์ œ๊ฐ€ ์ปค๋ฐ‹๊ณผ ๊ด€๋ จ๋˜์–ด ์žˆ๋‹ค๋Š” ์‚ฌ์‹ค์— ์ฃผ์˜๋ฅผ ๊ธฐ์šธ์ด์‹ญ์‹œ์˜ค. ์ด๋Š” ๋ณด์•ˆ ๊ฒฐํ•จ์ด ๋„์ž…๋œ ๋ฐฉ์‹์„ ์ถ”์ ํ•˜๋Š” ๋ฐ ์ •๋ง ์œ ์šฉํ•ฉ๋‹ˆ๋‹ค.


    ๐Ÿ”– ๋ฆฌ์†Œ์Šค


  • Anchore Container Scan on GitHub marketplace
  • Anchore Container Scan sourcecode on GitHub



  • ์ข‹์€ ์›นํŽ˜์ด์ง€ ์ฆ๊ฒจ์ฐพ๊ธฐ