Google Cloud helps build Container Security in CICD pipeline

Google Cloud helps build Container Security in CICD pipeline

Google Cloud has announced the beta release of Container Registry Vulnerability Scanning.

This will help users of Google Cloud Build to automatically detect known security vulnerabilities as a part of their CICD (Continuous Improvement and Continuous Delivery/Deployment) process, giving them the opportunity to take appropriate actions using Pub/Sub notifications and Cloud Functions.

As soon as Cloud Build creates an image and stores the image in Container Registry, developers can identify security threats with the help of a simple API call, the gcloud command line, or the Cloud Console UI.  Ubuntu, Debian, and Alpine OS package vulnerabilities can be identified as of now and CentOS and Red Hat Enterprise Linux (RHEL) support to follow. Container Registry vulnerability scanning provides detailed insights such as severity, CVSS score, packages, and whether a fix is available, as per the Google Cloud blog post.

Vulnerability scanning continuously monitors security databases. The security database consists of all supported OS distributions for new or updated vulnerabilities. This ensures vulnerability scans and results reflect the most up-to-date information.

Container images built using Code build can be scanned for OS package vulnerabilities when pushed to container registry. To activate vulnerability scanning, Container Analysis API needs to be enabled.
Vulnerability scanning is also integrated with Binary Authorization, a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine without any manual intervention.

The announcement also lists ThoughtWorks as one of the early adopters of Container Registry vulnerability scanning. ThoughtWorks is integrating vulnerability scanning into all of their app project pipelines. This will help them prevent vulnerable components from making it into production. It will also help development teams to receive automated vulnerability scanning report.

The importance of container security can be realized from the fact that Sysdiag a container security startup recently raised USD $68.5M series D funding. Sysdig's Falco is an open source, behavioral monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as an intrusion detection system on any Linux host.

More details can be available at Google Cloud Blog here.


Note: We at TechSutram take our ethics very seriously. More information about it can be found here.
Mandar Pise Opinions expressed by techsutram contributors are their own. More details

Mandar is a seasoned software professional for more than a decade. He is Cloud, AI, IoT, Blockchain and Fintech enthusiast. He writes to benefit others from his experiences. His overall goal is to help people learn about the Cloud, AI, IoT, Blockchain and Fintech and the effects they will have economically and socially in the future.

No comments:

Post a Comment

    Your valuable comments are welcome. (Moderated)