check --image=<image-name> # Image の scan ./roxctl image scan --image=<image-name> # Deployment の Security Policy 違反チェック ./roxctl –e “$OX_CENTRAL_ADDRESS” deployment check --file=<yaml-filename> ✗ Image gcr.io/rox-se/sample-image:getting-started failed policy 'Docker CIS 4.1: Ensure That a User for the Container Has Been Created' - Description: ↳ Containers should run as a non-root user - Rationale: ↳ It is good practice to run the container as a non-root user, where possible. This can be done via the USER directive in the Dockerfile. - Remediation: ↳ Ensure that the Dockerfile for each container switches from the root user - Violations: - Image has user 'root’ <省略> - Violations: - Fixable CVE-2021-20205 (CVSS 6.5) found in component 'libjpeg-turbo' (version 2.0.6-r0), resolved by version 2.1.0-r0 - Fixable CVE-2021-22876 (CVSS 5.3) found in component 'curl' (version 7.74.0-r0), resolved by version 7.76.0-r0 - Fixable CVE-2021-22890 (CVSS 3.7) found in component 'curl' (version 7.74.0-r0), resolved by version 7.76.0-r0 - Fixable CVE-2021-28831 (CVSS 7.5) found in component 'busybox' (version 1.32.1-r3), resolved by version 1.32.1-r4 - Fixable CVE-2021-30139 (CVSS 7.5) found in component 'apk-tools' (version 2.12.1-r0), resolved by version 2.12.5-r0 • CI/CDツールに統合可能な CLI ツール • Image や Deployment の Security Policy 違反や Image Scan を行う。 • 開発者に対するわかりやすく 違反 (Violation) 内容と、その対策 (Remediation) を提示 結果サンプル
Hat が OpenSfhit 用に提供している ElasticSearch コンテナのバージョンによる脆弱性の違いです。 Red Hat が提供するコンテナイメージにつついては、常に最新の脆弱性の情報が提供されます。 F D A Health Health Health https://catalog.redhat.com/ https://catalog.redhat.com/software/containers/rhceph-beta/rhceph-4-dashboard-rhel8/5e965720d70cc54b02d1f413?container-tabs=security