Artifact Management and Security with OCI

Kurtis Velarde > Artifact Management and Security with OCI

OCI registry’s enable teams to acquire and use images and artifacts through a standardized artifact Interface.

Overview:

  • Zot OCI Container Registry
  • Build docker artifact
  • Generate SBOM With Syft
  • SAST Scan with Trivy
  • Malware Scan with yara hunter

Image Assement Workflow

  • Input New Image
  • Yara scan -> Json output
  • SAST scan with Trivy -> Json output
  • Generating an SBOM for our Docker image
  • Sign Docker image
  • Create OCI artifact that maps and holds the image and Supply Chain Artifacts
  • Push artifact

Create OCI Registry with zot:

$ docker run -d -p 127.0.0.1:5000:5000 --name zot-registry ghcr.io/project-zot/zot-linux-amd64:latest:

Dockerfile: Build Docker image with eicar Malware Test file and apk-tools with a critical vulnerability:

FROM alpine:3.10

WORKDIR /app
# Get malware test file:
## curl -O https://secure.eicar.org/eicar.com.txt
COPY ./eicar.com.txt /app

Build:

$ docker build . -t localhost:5000/alpine-eicar:0.1

Assessing Artifacts with Opensource Tooling

Generate SBOM:

$ syft localhost:5000/alpine-eicar:0.1 --scope all-layers -o spdx-json=sbom.spdx.json

SAST Vulnerability Scan:

$ trivy image -f json -o trivy.json --severity CRITICAL,HIGH localhost:5000/alpine-eicar:0.1 

$ cat trivy.json | jq '.[].Vulnerabilities'

Malware Scan with deepfences opensource Yara rules: (Yes, host mounting docker socket is bad)

$ docker run -i --rm --name=deepfence-yarahunter -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/deepfence_malware_scanner_ce:2.0.0 --image-name localhost:5000/alpine-eicar:0.1 --output=json > yara.myeicar.json

Save Docker image for later analysis: 

docker save localhost:5000/alpine-eicar:0.1 > alpine-eicar-0.1.tar

Upload are artifacts to OCI registry using image convention for remote storage:

$ oras push --plain-http localhost:5000/alpine-eicar:0.1-sbom --artifact-type application/vnd.acme.rocket.config sbom.spdx.json:text/json
$ oras push --plain-http localhost:5000/alpine-eicar:0.1-trivy --artifact-type application/vnd.acme.rocket.config trivy.json:text/json
$ oras push --plain-http localhost:5000/alpine-eicar:0.1-malware --artifact-type application/vnd.acme.rocket.config yara.myeicar.json:text/json
$ oras push --plain-http localhost:5000/alpine-eicar:0.1-archive --artifact-type application/vnd.acme.rocket.config alpine-eicar-0.1.tar

View and Pull Artifacts from Registry for Analysis

Though this example is contrived by its simplicity, an OCI registry provide a simple out of band mechanism to store SDLC security artifacts for later analysis and incident response

# Check OCI repo for artifacts
$ oras repo ls localhost:5000
alpine-eicar
prompt-library/hello-world
prompt-library/zot-prompt-library

# Lists all tags for artifact
$ oras repo tags localhost:5000/alpine-eicar
0.1-archive
0.1-sbom
0.1-trivy

# Pull SBOM and check for vulnerablities 
$ oras pull localhost:5000/alpine-eicar:0.1-sbom
Downloading 5624f3d08ca0 sbom.spdx.json
Downloaded  5624f3d08ca0 sbom.spdx.json
Pulled [registry] localhost:5000/alpine-eicar:0.1-sbom
Digest: sha256:b2a95087ed0d2dd36463df37008b7ffab73eee33c0b51788d58ecc593ef61806

# Scan SBOM for CVE's
$ cat sbom.spdx.json  | grype
AME          INSTALLED  FIXED-IN                                              TYPE  VULNERABILITY   SEVERITY
apk-tools     2.10.6-r0  2.10.7-r0                                             apk   CVE-2021-36159  Critical
busybox       1.30.1-r5                                                        apk   CVE-2022-48174  Critical
busybox       1.30.1-r5                                                        apk   CVE-2023-39810  High
...
...