Malicious Compliance: Reflections on Trusting Container Image Scanners

KubeCon EU 2023 Amsterdam

• Talk Recording
• Slides PDF
• Talk Abstract and Details

Presenters and Repo Contributors

• Ian Coldwater
• Duffie Cooley
• Brad Geesaman
• Rory McCune

Talk References

• Original base image
• Exploiting a Slightly Peculiar Volume Configuration with SIG-Honk
• Reflections on Trusting Trust
• The best way to write secure and reliable applications!

Repo Usage

Getting Started

If you want to follow along with the things we did in the talk, first, git clone this repo. Next, install the following dependencies/tools.

Note for M1/Arm users - This demo should work as-is with one exception, and that is the kubectl binary. Download a kubectl binary for arm64 overtop the current amd64 binary before building the images.

Install dependencies

• Docker
• Trivy
• Grype
• Syft
• Docker Scan
• Docker Scout
• jq

Build the images

Run the following command to build all the variations of the images:

make build-all

Scan the base image with all four scanners:

make scan-0-base

Show the results of scanning the base image:

make results-0-base

Repeat these steps for each of the image variants:

• make scan-1-os make results-1-os - Modified /etc/os-release
• make scan-2-pkg make results-2-pkg- Deleted APK metadata
• make scan-3-lang make results-3-lang - Symlinked Language Dependency Files
• make scan-4-bin make results-4-bin- UPX packed binaries
• make scan-5-zero make results-5-zero- Multi-stage build with all techniques combined

Other Exploration

Run make and see all the helper commands we used during this research.