Docker containers

If your application resides within a Docker container, ShiftLeft CORE can analyze the container in which your app resides for findings that aren't expressly a part of your application and present those results in conjunction with your other findings in the ShiftLeft Dashboard.

Requirements

You must have:

  • Docker installed
  • Built your container already (e.g., docker build -t heartbleed-docker .)

Including the container in the analysis

To include the container with your analysis, append the following flag and accompanying values to your sl analyze command:

FlagDescription
--containerThe container to include (e.g., docker.io/shiftleft/demoContainer:latest, where docker.io is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to docker.io and latest respectively

Generally, any reference that works with docker run can be used as an argument, including locally available containers like demoContainer, or the image ID listed in docker image ls.

Example

If you initiate an analysis of your application with the following:

sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --wait ./target/hello-shiftleft-0.0.1.jar

You can include your application's container in the analysis for findings as follows:

sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --container shiftleft/containerName --wait ./target/hello-shiftleft-0.0.1.jar

Viewing your results

The summary page for your application provides high-level information regarding your container scan results, including the number of reachable/unreachable vulnerabilities:

View of the ShiftLeft dashboard showing high-level container vulnerabilities and reachability information

You can see a complete list of your container-related findings on the Container tab:

View of the ShiftLeft dashboard showing the list of container vulnerabilities identified

SCA for Containers

On the dashboard, ShiftLeft displays OSS vulnerabilities along with any other findings. See Intelligent Software Composition Analysis (SCA) for information on ShiftLeft's SCA implementation.

In short, ShiftLeft considers a finding to be reachable if an attacker-controlled path connects application inputs to the CVE. The concept of reachability is crucial because it tells you if someone can exploit a vulnerability in your application; if not, you can consider this vulnerability a low priority for mitigation.

Limitations

At this time, you can only analyze Windows-based containers using Windows machines.