We do our best to provide an application which doesn't have vulnerabilities.
Still, with Docker, the risk can come from what is included in the image, from the base images to dependencies.
Three kinds of potential vulnerabilities can be exposed:
- vulnerabilities in application dependencies, bundled with the SQ standard zip distributions.
- vulnerabilities in the Docker image dependencies, for instance installed tools like curl or X11 server.
- vulnerabilities in the kernel of the Docker image.
With this MMF, we want to:
- directly act on the next image to reduce as much as possible the surface of attack
- put in place a reliable process to avoid potential vulnerabilities with the upcoming releases - this will of course benefit to our zip distribution.
- Formalize a process, manual or automated, that ensures that dependencies are up-to-date when releasing a new version of SonarQube. Dependencies include the Java/TS 3rd-party libraries bundled with the SonarQube zip distributions, and the linux tools packaged with the Docker image.
- Integrate a SCA (Software Composition Analysis) audit into CI pipeline
- Enable audit of system security of the Docker image, for instance with tools like OpenSCAP, Anchore or Clair
- Use the smallest base image as possible, for instance Google Distroless. The majority of vulnerabilities are found in the
OS layer. That's why the choice of a good base image is critical.
- Do not package non-required tools inside the Docker image (x11, Qt, kde, apache, curl, ...)
- Apply security best-practices, for instance:
- Follow the guidelines described by https://github.com/docker/docker-bench-security
- Use COPY but not ADD https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57
- Limit kernel capabilities (SELinux, ...)
- Remove unnecessary setuid, setgid permissions (privilege escalation)
- Download packages securely using GPG and certificates
- Use multi-stage builds
Later on, we may also consider adding the support for Docker/Kubernetes secrets, but it doesn't directly relate to making the image more secured.