How Bitnami continuously scans container images to fix CVE-reported security issues

As a developer, if you are running a development set of containers to create proof of concepts or production workloads, you are probably aware of the amount of CVEs that may affect your container operating system packages.

Since its beginnings, Bitnami has worked to make sure every asset it publishes is up-to-date, not only everything related to the application versions, but also in security matter. Bitnami containers give you the latest stable version of the most popular open-source applications oriented for production uses.

This article will show you an overview of how Bitnami maintains its containers catalog and checks operating system CVEs in Bitnami containers. There is also a section that includes tips and tricks to help you enable those CVE scans for your own containers.

Maintaining the containers catalog

Nowadays, Bitnami maintains a catalog comprised of more than 90 containers, closely tracking upstream source changes and promptly publishing new versions of its images using its automated systems. Bitnami is very conscious about the need to keep the containers away from any kind of vulnerability, so it spends a lot of time on software automation.

A team effort in software automation pays off with nightly automated releases of the Bitnami containers catalog. Bitnami builds, tests, and releases new revisions that include the latest updates on each of the operating system components.

If you are curious, have a look at the Docker Registry of one of the most popular Bitnami containers: WordPress, where all the current tags of the containers that Bitnami actively maintains are found.

Tracking container CVEs

Continuously tracking CVEs for container images that are automatically built and published in a friendly way for users is not an easy task. In an effort to make the analysis process of CVEs for the Bitnami containers catalog clear for everyone, Bitnami started looking for platforms that could enable this.

After comparing different solutions and focusing on those that wouldn't imply vendor-locking, Bitnami chose Anchore Cloud because of its SaaS Open Source model for public GitHub repositories and its easy integration with Docker Hub.

With Anchore Cloud, a user can search through all Bitnami container images published in Docker Hub and check the latest security reports. Furthermore, new images will automatically get scanned, so users will always find an updated report.

To check a Bitnami container security report, navigate to any of the Bitnami GitHub repositories and look for the Anchore badge:

Anchore GitHub badge

Click on that badge to be redirected to the Bitnami's WordPress container Anchore Cloud security report:

WordPress security report

A CVEs list of system packages that are affected, including a link to the Linux distribution tracker, can be found there.

It is important to mark the option called Show only CVE with fixes to get the real list of packages that contains those security issues that Bitnami has not addressed.

Adding your containers to Anchore Cloud

If you find the Anchore security reports useful and you are interested in scanning Docker images and getting email notifications about security issues or new versions, follow these instructions:

  • Sign-up in Anchore Cloud.

  • Log in, and then search for your own containers using the search bar, which will check for containers in Docker Hub:

Searching for containers in Anchore

Click on the container tag you want to submit for analysis. In this case, latest was chosen.

As this container image has not been previously analyzed, Anchore will point you to the button to submit that image for CVE analysis:

Submit container for scan
  • Once the container image is submitted, wait until the analysis is finished. To check that you have subscribed to the container tag you submitted for analysis, click on My images in the sidebar:
Anchore image analysis
  • Once the analysis finishes, you will receive an email notification with the link to the security report. From that moment, the next container image update will get automatically scanned:
Anchore email notifications

Now you can track the latest CVEs in your own containers while providing your users a user–friendly security report.

Are you interested in Bitnami Docker images? Take a look at: