Containerized infrastructure is awesome! We love it and we’ve built all of our services on it. The inevitable OSS vulnerabilities, on the other hand… Not so fun.
If you’re running containers in your infrastructure, chances are you’re also dealing with hundreds—if not thousands—of issues per container. It’s the major pitfall of modern day containerization: code you didn’t write with issues you can’t fix. And let’s face it: you probably don’t have the time or energy to deal with it. We have a great solution for this problem.
Though we wish we had a magic wand that miraculously fixes all the vulnerabilities, what we have is actually not too far off. And it’s free to use on any containers you’re running today or anything you’re looking to launch in the future.
We’re thrilled to announce the free tier of RapidFort’s container optimization platform. It’s available right now, there’s no waiting list, and you can harden up to 300 containers in your first four months.
Here’s how to get started…
Create your free account on the RapidFort platform
The first thing you’ll need to do is click the “Sign Up” button in the upper right corner of any page on RapidFort.com. We’ll collect a little bit of information about you (your name, where you work, and what you do there) and that’s it. Once that’s done, you’re in the platform right away.
Here’s what it’ll look like the first time you log in:
And here’s what it’ll look like after you’ve scanned a bunch of containers:
On the left-hand side of the screen, you can click the “Quick Start” link to bring up helpful information to get you started using RapidFort’s software.
Let’s say you’re using Docker as your container system. When you click “Docker,” you’ll get a handy pop-up with a set of ordered instructions for your CLI. To make life easier, we’ve added a little “copy to clipboard” button at the end of every line, which you can safely paste (yes, we promise it’s safe) into your favorite terminal app. (We like iTerm 2, fwiw.)
Instrument and understand your containers
As you can see, the first step in the quickstart guide is to install the RapidFort CLI tools, which is done with a simple curl command. (It’s worth noting at this point that we do require Python and Docker to run RapidFort.) Once the tools are installed, you’ll use rflogin to log into the platform via your terminal session. Think of it like your git credentials, which live longer than your current terminal session.
When you install the RapidFort CLI tools, you’ll get a set of applications local to your machine, including:
- rflogin: Log into RapidFort
- rfstub: Generate an instrumented image of your container
- rfharden: Generate a hardened image from the instrumented container
- rfscan: Scan one or more images or container registries for packages and vulnerabilities
- rfls: List RapidFort stub and hardened images that are available on the client system
- rfjobs: List all RapidFort jobs for the current user (including jobs that are not available on the client system)
- rfinfo: Show detailed information and optionally download reports for a RapidFort job
In our quickstart guide, we walk you through hardening the nginx container because it’s relatively small and you can see the results in just a few seconds. So, we have you pull the latest nginx container from Docker Hub and then we have you install our software into the container. We call it “instrumenting the container” and we use the rfstub command to make that happen. Our software is ~30 megabytes, so at first you’ll see your stubbed image increase in size by about 30MB, whether it’s a 100MB image or a 1GB image.
Quick side note: We don’t actually install our software into the container you downloaded. We make a new container with the original container’s contents and bundle it with the RapidFort instrumentation software. This is why you’ll see `nginx:latest-rfstub` in the quickstart guide.
Use rfstub to instrument and predict your container optimization
rfstub does a few cool things behind the scenes. First of all, it uploads your container to our platform and we scan it for known CVEs. We also generate a software bill of materials (SBOM), which is fully downloadable and inspectable within the web app. Most importantly, we create a statistical model of how many vulnerabilities we think we can remove from your image. In most cases, we can safely remove 70-80% of the vulnerabilities, which significantly increases the signal to noise ratio for vulnerability remediation.
Another important thing you get from the platform is the Rapid Risk Score (RRS), which uses machine learning to predict whether a Proof of Concept (POC) will exist for a known CVE within the next three months. The RRS makes prioritization and remediation decisions a breeze because it factors in real-world data and research from various leading security organizations.
Profile and harden your container activity
As soon as you launch your profiled image, it’s ready to send profiling information over to RapidFort. There are a couple of ways to profile your container so RapidFort knows exactly what code can be safely removed.
Profile your image with a coverage script
The first method is running a coverage script. This is a great option for a pure-automation play in your CI/CD pipeline. Coverage scripts are easy to write and many of ours are fewer than 30 lines of code. In fact, you can look at the coverage scripts we’ve written for our free, hardened community images on GitHub. For example, here’s our Bitnami Apache2 coverage script.
The point of a coverage script is to exercise all the functionality your end users are likely to run on your container. The better the coverage script, the more confidence you can have in your hardened container. In fact, one of our customers used this situation to strengthen automation pipelines and coverage scripts.
Profile your image with real-world execution
The second method of profiling your container image is with real-world execution. This is a great option if you don’t have full automation capabilities or you’re running a product with a bigger scope than you may be able to test. You can even use this method to run an instrumented container in production, capture everything that happens in a few days (or weeks), and let RapidFort identify what’s being used and what isn’t.
Even if you do have full automation capabilities and a great CI/CD pipeline, this is a really handy option if you just want to know about the relevant security risks in your container. We frequently help our customers reduce their known vulnerabilities from unmanageable numbers down to something that’s manageable. Your infrastructure right now might have millions of vulnerabilities and you might have no idea where to start. Getting that down several orders of magnitude and having a Rapid Risk Score help with prioritization can make a big difference in actionable security mitigation.
Use the profile to harden
Once you’ve captured the actual usage of your container (whether using a coverage script or capturing real-world information), you can tell RapidFort to do its thing: get rid of all the software components you don’t need.
The RapidFort platform looks at the profile data and quickly eliminates all the unused components. Within seconds, you’ll have a hardened and optimized container, which you can further secure with patches that you know will be relevant to the code in your app.
Get started today with our free tier
Our free tier is super easy to start using. We don’t collect a credit card and we let you harden hundreds of containers without any cost. Learn more about the free tier features on our pricing page.
If you want a demo, you can either watch it here or you can book one with a RapidFort engineer. We are more than happy to show off what we’ve built and we love working with people. Check out our case study with Customs Bridge and hear how we directly supported them on their fast journey to a secure production environment.
Join our Slack Channel
You should join our slack channel so that we can support you