Skip to main content

Docker containers

If your application resides within a Docker container, Qwiet preZero can analyze the container in which your app resides for findings that aren't expressly a part of your application and present those results in conjunction with your other findings in the Qwiet Dashboard.

Requirements

You must have:

  • Docker installed
  • Built your container already (e.g., docker build -t heartbleed-docker .)

Including the container in the analysis

To include the container with your analysis, append the following flag and accompanying values to your sl analyze command:

FlagDescription
--container <name>The container to include (e.g., docker.io/shiftleft/demoContainer:latest, where docker.io is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to docker.io and latest respectively)
--container-bom-path <path>Use a custom Bill-of-Materials file in Container SCA
--force-bom-rebuildForce generation of Software Bill of Materials even if an SBOM file already exists for the project

Generally, any reference that works with docker run can be used as an argument, including locally available containers like demoContainer, or the image ID listed in docker image ls.

Example

If you initiate an analysis of your application with the following:

sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --wait ./target/hello-shiftleft-0.0.1.jar

You can include your application's container in the analysis for findings as follows:

sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --container shiftleft/containerName --wait ./target/hello-shiftleft-0.0.1.jar

Viewing your results

The application summary page provides high-level information regarding your container scan results, including the number of reachable/unreachable vulnerabilities.

You can see a complete list of your container-related findings by going to Findings > Containers from the application summary page.

SCA for Containers

On the dashboard, Qwiet displays OSS vulnerabilities along with any other findings. See Intelligent Software Composition Analysis (SCA) for information on Qwiet's SCA implementation.

In short, Qwiet considers a finding to be reachable if an attacker-controlled path connects application inputs to the CVE. The concept of reachability is crucial because it tells you if someone can exploit a vulnerability in your application; if not, you can consider this vulnerability a low priority for mitigation.

There's multiple ways that an SBOM file can be included for the container image:

  • If there's a container_bom.xml file in the source directory, it will be included in the analysis.
  • Otherwise, it will be generated automatically from the given container image (or if --force-bom-rebuild was specified on the command-line).
  • The SBOM file can also be specified explicitly via the --container-bom-path parameter.

At this time only SBOM files in CycloneDX's XML format are being produced and accepted by the options above.

Limitations

Qwiet preZero supports both Linux- and Windows-based containers; however, you can analyze Windows-based containers only using Windows machines at this time.