Enforce Docker Image CIS Policy Compliance with Tripwire for DevOps | Tripwire

Enforce Docker Image CIS Policy Compliance with Tripwire for DevOps

Posted on October 23, 2018
Enforce Docker Image CIS Policy Compliance with Tripwire for DevOps
We are working hard adding features to our new Tripwire for DevOps service, initially announced at BlackHat 2018. If you are a loyal State of Security follower, last you read we added Auditing for Amazon Machine Images (aka AMIs). Today, we are introducing CIS policy compliance auditing for Docker images. Tripwire for DevOps allows you to evaluate your Docker Images to check for policy compliance at build time. Doing so ensures those images are compliant with CIS policies before they are put into production.

How To

Whether you are experimenting with the service or integrating it with your CI/CD build tool e.g. Jenkins or GoCD or Travis CI, policy compliance scanning is enabled using the twdevops command line ‘-policy CIS’ flag.
img1-7.jpg
Currently, this feature is only available for Docker images, but stay tuned for an update on AMI scanning. Once the image is pushed and you have a request id, you can check for the status of the scan
img-2-4.jpg
Once the scan is complete (Status: ScanComplete), fetch the results in either JSON or JUnit formats (JSON example shown)
3-3.jpg
I did not include scan results here… it was just too much data. Handy tip: The JSON output contains information familiar to existing Tripwire Enterprise customers, including the remediation details provided by our CIS Policy content team. The online documentation contains additional details about the twdevops command line as well as for the platform and policy support. Now that an image has been scanned, the Tripwire for DevOps web interface displays both the Policy and Policy Test Results in addition to Vulnerability and Application information per Docker image.
4-3.jpg
Policy results are in the dashboard.
5-3.jpg
Matching Policies and Policy Tests can be found when selecting “View Scans.” As you may have read, Tripwire for DevOps can perform Docker Registry scanning. In this situation, you can use the UI to add CIS Policy compliance for future scans. Don’t be confused by the Docker terminology; a Docker Registry is different than a Docker Repository (thank you StackOverflow)!
6-3.jpg

Passing “Go”

If you wish to adjust how strictly a particular Docker Image must comply, using the UI you can select from our provided Quality Gate templates and even make individual adjustments from there if the need arises.
7-3.jpg
Policy compliance and remediation have been Tripwire’s bread and butter for the better part of a decade, and it should come as no surprise we are introducing it today in our Tripwire for DevOps solution. Press the “Shift Left” button and integrate our years of experience into your CI/CD pipeline, catching problems before they are deployed to production. Learn more about Tripwire for DevOps with our datasheet or register for a free trial at https://devops.tripwire.com/register
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!