Skip to content

Instantly share code, notes, and snippets.

@mkol5222

mkol5222/chkp-shiftleft-docker-image-scanner.md

Last active October 7, 2020 14:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mkol5222/403aae93e04f30e7fa47c2858759888c to your computer and use it in GitHub Desktop.
Save mkol5222/403aae93e04f30e7fa47c2858759888c to your computer and use it in GitHub Desktop.
Download ZIP
How to scan Docker image with Check Point shiftleft container image scanner
Raw
chkp-shiftleft-docker-image-scanner.md

How to scan Docker container image using Check Point shiftleft command-line scanner

Requirements

Have your CloudGuard Dome9 API keys ready. They are obtained from Dome 9 web UI at Settings / Credentials section

Env. variable Description
CHKP_CLOUDGUARD_ID your D9 API key identifier ("username")
CHKP_CLOUDGUARD_SECRET D9 API key secret ("password")

Tool distribution

While stand-alone binary can be downloaded for your platform, we will prefer Docker image with shift left tool available at Docker Hub as checkpoint/shiftleft.

docker pull checkpoint/shiftleft

Example use

We will target older version of official Debian image, export image to tar file and launch scan.

# pull some older image
~ % docker pull debian:stretch-20191224
stretch-20191224: Pulling from library/debian
Digest: sha256:85c4668abb4f26e913152ba8fd04fca5f1c2345d3e2653855e6bb0acf461ed50
Status: Image is up to date for debian:stretch-20191224
docker.io/library/debian:stretch-20191224

# export image to local tar file
~ % docker save debian:stretch-20191224 > debian_stretch-20191224.tar

# launch image scan. 
# IMPORTANT: remember to use your own key env variables 
#   CHKP_CLOUDGUARD_ID and CHKP_CLOUDGUARD_SECRET
~ % docker run -ti --rm \
   -v $(pwd)/debian_stretch-20191224.tar:/img/debian_stretch-20191224.tar \
   -e CHKP_CLOUDGUARD_ID=change_me_id \
   -e CHKP_CLOUDGUARD_SECRET=change_me_secret \
   checkpoint/shiftleft \
   shiftleft  image-scan -t 900 \
      -i /img/debian_stretch-20191224.tar

Result

Consider adding -j argument for getting JSON output format for easier reault processing (custom visualization, scripting, access to action etc.)

INFO   [07-10-2020 13:41:59.063] blade image-scan updated (0.0.130)
INFO   [07-10-2020 13:41:59.220] SourceGuard Scan Started!
INFO   [07-10-2020 13:42:01.001] Project name: debian path: /tmp/SourceGuard893076011
INFO   [07-10-2020 13:42:01.001] Scan ID: d101443fe9537342d78d1c9c760a2f5f1d3722e7db10ba308514b8e71a7fd39e-KmTwTf
Action: BLOCK
Packages Findings:
	- Package Path: /var/lib/dpkg/status
	  Package Manager: dpkg
	  Severity: CRITICAL
		- libsystemd0  232-25+deb9u12
		  Severity: CRITICAL
		  Line: 759
		  CVEs Findings:
			- ID: CVE-2018-15686
			Description: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
			Severity: CRITICAL
			Last Modified: 2020-07-29T12:15:00Z
			- ID: CVE-2018-15688
			Description: A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.
			Severity: CRITICAL
			Last Modified: 2019-10-09T23:35:00Z
			- ID: CVE-2017-1000082
			Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
			Severity: CRITICAL
			Last Modified: 2017-07-23T01:29:00Z
...
Please see full analysis: https://portal.checkpoint.com/Dashboard/SourceGuard#/scan/image/d101443fe9537342d78d1c9c760a2f5f1d3722e7db10ba308514b8e71a7fd39e-KmTwTf

JSON format output

# added -j for JSON output
# grep to pass only JSON and jq to format report
# json root contains recommended action (e.g. BLOCK)
~ % docker run -ti --rm \
   -v $(pwd)/debian_stretch-20191224.tar:/img/debian_stretch-20191224.tar \
   -e CHKP_CLOUDGUARD_ID=change_me_id \
   -e CHKP_CLOUDGUARD_SECRET=change_me_secret \
   checkpoint/shiftleft \
   shiftleft  image-scan -t 900 \
      -i /img/debian_stretch-20191224.tar -j \
   | grep '^{' | jq .

{
  "action": "BLOCK",
  "status": "COMPLETED",
  "code": null,
  "content": null,
  "filename": null,
  "ips": null,
  "urls": null,
  "files": null,
  "dependencies": null,
  "packages": [
    {
      "sha256": "4c8e4c69c1f8986d9c4ee08f2f559549c2e0d2bd0d0d96fac1bd24c8bf55227f",
      "file-path": "/var/lib/dpkg/status",
      "package-manager": "dpkg",
      "os": "debian:9",
      "severity": "CRITICAL",
      "layer": "ebb9ae013834b54e76c8d7dfde0ca9018f6bb3495740356a8f1dc655a8552130",
      "is-os-package": true,
      "matched-dependencies": 18,
      "dependencies-tree": [
        {
          "name": "libsystemd0",
          "version": "232-25+deb9u12",
          "operator": "",
          "line": 759,
          "source": "https://www.freedesktop.org/wiki/Software/systemd",
          "severity": "CRITICAL",
          "match_cves": [
            {
              "description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
              "id": "CVE-2018-15686",
              "severity": "CRITICAL",
              "last_modified": "2020-07-29T12:15:00Z"
            },
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment