It may seem far-fetched, but we deleted almost 80% of the code from the Redis Bitnami container image and it still does everything we need. No tricks, no rabbits up our sleeves. It turns out that most of the files in the Bitnami distribution are unnecessary and contain security issues. This is a common problem for all popular container images on Docker Hub.
Getting rid of all those unnecessary files makes the image more portable and much more secure.
Unused code contains CVEs
Cloud-native infrastructure is built around open source technologies that are fantastic, but also contain inherent security problems. Most companies using Docker containers for cloud-native applications are overlooking—or are overwhelmed by—the number of vulnerabilities in their open source container images. There can literally be thousands of vulnerabilities in a single container image.
To counter this, Google, AWS, and Docker Hub have all developed tools to scan containers and show Common Vulnerabilities and Exposures (CVE) reports. Unfortunately, nothing has been done to actually fix the CVEs in these open source images, and it's quickly becoming the elephant in the room.
The Redis Bitnami image, for example, contains networking tools and command line utilities that give malicious actors unnecessary opportunities to break in and move laterally. Using our free scanner and command line utilities, we shrank the Bitnami image from 117MB to just over 30MB, eliminating 77% of the known vulnerabilities and 91% of the installed packages. This resulted in an attack surface reduction of 72%.
Stop using vulnerable images, start using hardened images
We want to give back to the community by providing free, hardened, and optimized container images for the most popular downloads on Docker Hub. You can learn all about it on our GitHub page: https://github.com/rapidfort/community-images. They are completely free to use and updated daily.
The list of images is growing quickly and we would love the community’s help in identifying and securing them. Here’s what we’re currently offering (as of this writing):
- MariaDB
- MongoDB®
- MySQL
- NGINX
- PostgreSQL
- Redis™
- Redis™ Cluster
- Envoy
- Fluentd
- Grafana Oncall
- InfluxDB™
- Etcd
- NATS
- Redis™ IronBank
- PostgreSQL IronBank
- NGINX IronBank
How do we build these images?
The process of creating hardened, optimized images is very simple:
- Download the latest version of the image, e.g. `docker pull redis:latest`
- Add the RapidFort instrumentation to the image (we call this a “stub”)
- Run functional coverage scripts and track what files are used
- Delete everything that’s not used
Developers can use RapidFort to generate an instrumented image called a "stub." This stub can run in a test environment that exercises (or covers) expected workflows using a coverage script. (Please note that the coverage script is not the same as the testing script. The coverage script needs to cover primary functionality and doesn't need to worry about the output or functional/integration testing.)
Stubs are very small and are built with a single command. Once the coverage script executes on the container image, RapidFort provides a hardened image, which contains only the software required to run the workload. Then it provides a lean, secure image that can be tested in a CI/CD pipeline and released/deployed to production.
If you’d like to see how to harden a container, watch our tutorial.
How you can help and contribute
We are happy to release our first version of images, but the work is not done until we have covered all the popular Docker Hub images. We are looking for volunteers to join our Community Images project and contribute. If you’re interested in reducing the number of vulnerabilities your infrastructure carries, please download our hardened images and look through our coverage tests. We would love to work with you to improve and add to our coverage scripts.
If you run into any issues, please feel free to contribute or open an issue. https://github.com/rapidfort/community-images/issues/new/choose
Get started with our community images
We wouldn’t have called these “community images” if we didn’t want community participation. We would love for you to join our public Slack channel and try the images yourself. Please provide feedback and ask questions in GitHub.
And if you want to learn more about RapidFort, we are more than happy to give you a demo. We also have a free tier offering so you can secure any of your containers.