Have your CloudGuard Dome9 API keys ready. They are obtained from Dome 9 web UI at Settings / Credentials section
Env. variable | Description |
---|---|
CHKP_CLOUDGUARD_ID | your D9 API key identifier ("username") |
CHKP_CLOUDGUARD_SECRET | D9 API key secret ("password") |
While stand-alone binary can be downloaded for your platform, we will prefer Docker image with shift left tool available at Docker Hub as checkpoint/shiftleft.
docker pull checkpoint/shiftleft
We will target older version of official Debian image, export image to tar file and launch scan.
# pull some older image
~ % docker pull debian:stretch-20191224
stretch-20191224: Pulling from library/debian
Digest: sha256:85c4668abb4f26e913152ba8fd04fca5f1c2345d3e2653855e6bb0acf461ed50
Status: Image is up to date for debian:stretch-20191224
docker.io/library/debian:stretch-20191224
# export image to local tar file
~ % docker save debian:stretch-20191224 > debian_stretch-20191224.tar
# launch image scan.
# IMPORTANT: remember to use your own key env variables
# CHKP_CLOUDGUARD_ID and CHKP_CLOUDGUARD_SECRET
~ % docker run -ti --rm \
-v $(pwd)/debian_stretch-20191224.tar:/img/debian_stretch-20191224.tar \
-e CHKP_CLOUDGUARD_ID=change_me_id \
-e CHKP_CLOUDGUARD_SECRET=change_me_secret \
checkpoint/shiftleft \
shiftleft image-scan -t 900 \
-i /img/debian_stretch-20191224.tar
Consider adding -j argument for getting JSON output format for easier reault processing (custom visualization, scripting, access to action etc.)
INFO [07-10-2020 13:41:59.063] blade image-scan updated (0.0.130)
INFO [07-10-2020 13:41:59.220] SourceGuard Scan Started!
INFO [07-10-2020 13:42:01.001] Project name: debian path: /tmp/SourceGuard893076011
INFO [07-10-2020 13:42:01.001] Scan ID: d101443fe9537342d78d1c9c760a2f5f1d3722e7db10ba308514b8e71a7fd39e-KmTwTf
Action: BLOCK
Packages Findings:
- Package Path: /var/lib/dpkg/status
Package Manager: dpkg
Severity: CRITICAL
- libsystemd0 232-25+deb9u12
Severity: CRITICAL
Line: 759
CVEs Findings:
- ID: CVE-2018-15686
Description: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
Severity: CRITICAL
Last Modified: 2020-07-29T12:15:00Z
- ID: CVE-2018-15688
Description: A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.
Severity: CRITICAL
Last Modified: 2019-10-09T23:35:00Z
- ID: CVE-2017-1000082
Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
Severity: CRITICAL
Last Modified: 2017-07-23T01:29:00Z
...
Please see full analysis: https://portal.checkpoint.com/Dashboard/SourceGuard#/scan/image/d101443fe9537342d78d1c9c760a2f5f1d3722e7db10ba308514b8e71a7fd39e-KmTwTf
JSON format output
# added -j for JSON output
# grep to pass only JSON and jq to format report
# json root contains recommended action (e.g. BLOCK)
~ % docker run -ti --rm \
-v $(pwd)/debian_stretch-20191224.tar:/img/debian_stretch-20191224.tar \
-e CHKP_CLOUDGUARD_ID=change_me_id \
-e CHKP_CLOUDGUARD_SECRET=change_me_secret \
checkpoint/shiftleft \
shiftleft image-scan -t 900 \
-i /img/debian_stretch-20191224.tar -j \
| grep '^{' | jq .
{
"action": "BLOCK",
"status": "COMPLETED",
"code": null,
"content": null,
"filename": null,
"ips": null,
"urls": null,
"files": null,
"dependencies": null,
"packages": [
{
"sha256": "4c8e4c69c1f8986d9c4ee08f2f559549c2e0d2bd0d0d96fac1bd24c8bf55227f",
"file-path": "/var/lib/dpkg/status",
"package-manager": "dpkg",
"os": "debian:9",
"severity": "CRITICAL",
"layer": "ebb9ae013834b54e76c8d7dfde0ca9018f6bb3495740356a8f1dc655a8552130",
"is-os-package": true,
"matched-dependencies": 18,
"dependencies-tree": [
{
"name": "libsystemd0",
"version": "232-25+deb9u12",
"operator": "",
"line": 759,
"source": "https://www.freedesktop.org/wiki/Software/systemd",
"severity": "CRITICAL",
"match_cves": [
{
"description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
"id": "CVE-2018-15686",
"severity": "CRITICAL",
"last_modified": "2020-07-29T12:15:00Z"
},
...