0

We use kubernetes and host our own images on GCR with enabled Container Analysis so we get notified and can take action when vulnerabilities are found in the images we created.

But there are also third party images that we directly use from docker hub or other repositories. How do I incorporate those into this security scanning flow?

  • mirror images that we use on our registry by simply pulling, tagging and pushing images from docker hub. That way we could also restrict that only images from this private registry can be run, but it seems like a bit of maintenance hassle?
  • use something like clair and clair-scanner command line to register and scan those third party resources. But this would require managing and maintaining clair, so #1 maybe is a better option?
gerasalus
  • 7,538
  • 6
  • 44
  • 66

1 Answers1

0

For security purposes and to keep everything under your control, I think the first option is a better way to go since you can safely scan your copy and manage the images. This also means that you can restrict which repositories your cluster will pull from so that only your own trusted repos are used.

Patrick W
  • 4,603
  • 1
  • 12
  • 26