We are working hard adding features to our new
Tripwire for DevOps service, initially announced at
BlackHat 2018. If you are a loyal
State of Security follower, last you read we added
Auditing for Amazon Machine Images (aka
AMIs). Today, we are introducing CIS policy compliance auditing for Docker images.
Tripwire for DevOps allows you to evaluate your Docker Images to check for policy compliance at build time. Doing so ensures those images are compliant with
CIS policies before they are put into production.
How To
Whether you are experimenting with the service or integrating it with your CI/CD build tool e.g.
Jenkins or
GoCD or
Travis CI, policy compliance scanning is enabled using the twdevops command line ‘-policy CIS’ flag.
Currently, this feature is only available for Docker images, but stay tuned for an update on AMI scanning.
Once the image is pushed and you have a request id, you can check for the status of the scan
Once the scan is complete (Status: ScanComplete), fetch the results in either JSON or JUnit formats (JSON example shown)
I did not include scan results here… it was just too much data. Handy tip: The JSON output contains information familiar to existing
Tripwire Enterprise customers, including the remediation details provided by our CIS Policy content team.
The
online documentation contains additional details about the twdevops command line as well as for the platform and policy support.
Now that an image has been scanned, the Tripwire for DevOps web interface displays both the Policy and Policy Test Results in addition to Vulnerability and Application information per Docker image.
Policy results are in the dashboard.
Matching Policies and Policy Tests can be found when selecting “View Scans.”
As you may have read, Tripwire for DevOps can perform
Docker Registry scanning. In this situation, you can use the UI to add CIS Policy compliance for future scans. Don’t be confused by the Docker terminology; a
Docker Registry is different than a Docker Repository (thank you StackOverflow)!
Passing “Go”
If you wish to adjust how strictly a particular Docker Image must comply, using the UI you can select from our provided Quality Gate templates and even make individual adjustments from there if the need arises.
Policy compliance and remediation have been Tripwire’s bread and butter for the better part of a decade, and it should come as no surprise we are introducing it today in our Tripwire for DevOps solution.
Press the “
Shift Left” button and integrate our years of experience into your CI/CD pipeline, catching problems before they are deployed to production.
Learn more about Tripwire for DevOps with our
datasheet or register for a free trial at
https://devops.tripwire.com/register