Maintaining Security Updates for Docker Images

To stay current with the latest security updates, Metric Insights takes the following actions:

  • Our Docker images run the latest stable release of Debian:  
    • Debian 12 "Bookworm" as of versions:
      • 6.4.4, released December 6, 2023,
      • 7.0, released February 9th, 2024.
  • Debian OS updates are done with each new major release of Metric Insights, approximately once a quarter. Regression tests are conducted with each new major release to maintain application integrity.
  • Security vulnerability scans are executed with each major and minor release. Vulnerabilities flagged Critical and High are immediately addressed.
  • Linux packages are updated based on vulnerability scan results (Critical, High), given that the application features continue to function properly.
  • Only official Docker images are used as a base to build from.  

To ensure our Docker images have all current security updates and follow Docker best practices, there is a separate testing process we follow, implemented in a CI/CD workflow. This process includes:  

  1. Checking for Updates
  2. Checking for Vulnerabilities (CVE) in the Images with jFrog and Trivy  
  3. Checking Docker Images Using Docker Bench for Security
  4. Performing Penetration Testing (Automated and Manual)

1. Checking for Updates

Our internal tool checks to see if an image build includes all current security updates available for the current version of Debian.

2. Checking for Vulnerabilities (CVEs) in the Images with jFrog and Trivy

Every image included in the Metric Insights product distribution undergoes a static analysis for vulnerabilities with at least two tools: jFrog Xray and Aqua Trivy. This allows for the pinpointing of potential vulnerabilities before they have a chance to sneak into production unchecked.

However, Low severity vulnerabilities are not assessed, and neither are logger and mysql images, as they are not intended for production environments and are only shipped with the product for testing purposes.

Vulnerabilities marked as "no-dsa" by distribution maintainers are omitted. If an issue's severity level is deemed low, it may not  necessitate an immediate security update, and thus, these vulnerabilities are maintained in a whitelist without remediation.

Conversely, if there are any vulnerabilities that require an immediate security update, and a fix is available, we take an immediate action to remediate. 

3. Checking Docker Images Using Docker Bench for Security

The Docker Security WorkBench (DSWB) script checks for common best practices when deploying Docker containers in production. Our tool runs this script against a built image via an automated test. Subsequently, the results from the DSWB scan are checked and compared with predefined report values in a DSWB dictionary. If there are any non-matching values, action is taken to address the discrepancy. 

4. Performing Penetration Testing (Automated and Manual)

We have implemented a CI/CD solution to perform an automated security scan with OWASP ZAP Scanner to check for any CWEs (Common Weakness Enumeration) and misconfigurations present in the product and the included software components. Additionally, an extensive manual penetration testing is performed using Burp, OpenVAS, Nikto, Nuclei, Metasploit, and various other products. Then CWEs and misconfigurations are assessed with the relevant development and security teams to prioritize and remediate them. After that, follow-up assessments are conducted to validate the effectiveness of remediation efforts and to ensure that security gaps have been adequately addressed.