Once you have attributed a vulnerability or threat to the specific code commit/source and have remediated it, it is ideal to establish a DevSecOps process that enables the following the following:
- Establish a security process that integrates into the development workflow and build pipelines
- Scanning container images and AMIs for vulnerabilities, malware, secrets, integrity and compliance and block builds that contain key security issues before they are deployed into production
- Build Trusted gateways for deployment and only allow deployments from trusted sources
While shift-left promised to address risk before they reach runtime environments, we’ve seen some key challenges in the market when it comes to actually making this a reality:
- It is not possible to fix everything at once: Not every critical vulnerability is fixable. Moreover, the context of the application being deployed and the risk of your runtime environment can help prioritize what vulnerabilities need fixing. Shift-left policies that don’t have exception management to be able to handle key use cases fail to be scalable in enterprise organizations.
- Developer Access/Integration To Security Tooling: Developers may not have access to your CNAPP tooling but still need context into the vulnerabilities found in their image and how to fix them.
- Image Deployments From Non-Trusted Repositories: Many threats emerge from images that are deployed from non-trusted repositories or even public repositories which may have a lot of secure images, but where it is hard to identify the integrity/provenance of every image present. You need to be able to enforce controls pre-runtime deployment as well.
In today’s fast-paced development landscape, ensuring the security of your software is more crucial than ever. At Uptycs, we’re excited to announce our new Image Security Policies feature, designed to fortify your CI/CD pipeline and streamline the way you manage image vulnerabilities. This enhancement allows you to create trusted gateways that not only enhance security but also empower your development teams.
What Are Image Security Policies?
Image Security Policies allow you to define and enforce security standards for your container images throughout the development lifecycle. By implementing these policies, you can:
- Automatically scan images for vulnerabilities, malware, and policy violations
- Route non-compliant images to a separate repository for review and remediation
- Ensure that only trusted, policy-compliant images are deployed to your production environment
- Grant exceptions when developers need more time to address issues
Image Security Policies provide a framework for managing and enforcing security standards throughout your development pipeline. This feature enables teams to identify and mitigate vulnerabilities in container images, ensuring that only trusted images are deployed to your environments.
How It Works
1. Policy-Based Scanning in CI/CD
As part of your CI/CD pipeline, our scanner examines each container image against your defined security policies. These policies can check for:
- Exploitable vulnerabilities
- Presence of malware and secrets
- Compliance issues such as usage of root uses in a dockerfile
- Integrity of the image - making sure that it is signed by the likes of a Cosign or Notary or making sure it comes from a trusted registry source
2. Intelligent Routing
Based on the scan results:
- Images that fail the policy checks can be sent to a designated repository for developer review and remediation.
- Images that pass all checks can be automatically routed to a trusted repository, ready for deployment.
To ensure the integrity of your production environment:
- Kubernetes deployments are configured to pull only from the trusted repository.
- Admission controls can be enabled to prevent any attempts to bypass the trusted gateways.
4. Local CLI Scanning
Developers can run our CI scanner locally in their command-line interface before pushing changes. This empowers them to catch and fix issues early, streamlining the development process.
5. Flexible Exception Handling
We understand that security and development velocity sometimes need to be balanced. That's why our Image Security Policies feature includes an exception mechanism:
- If a developer needs more time to address identified issues, an exception can be granted.
- This exception allows the image to proceed through the build or deployment process, even if it doesn't fully meet the defined security policies.
- Exceptions can be time-bound and require appropriate approvals, ensuring that security risks are acknowledged and managed.
Why Image Security Policies Matter
With the rapid adoption of containers and microservices, the risk of deploying vulnerable images has increased significantly. Image Security Policies empower organizations to take proactive steps in managing these risks, ensuring that only secure images are pushed to production. By integrating security directly into the development process, teams can enhance collaboration, reduce friction, and improve overall software quality.
Enhancing Collaboration Between Devs and SecOps
One of the standout benefits of our Image Security Policies is the way it fosters collaboration between development and security teams. With clear visibility into vulnerabilities and a structured process for remediation, developers can work closely with security teams to ensure that their applications are not only functional but also secure.
Conclusion
The introduction of Image Security Policies marks a significant step forward in Uptycs' commitment to enhancing the security of your development pipeline. By implementing these policies, you’re not just protecting your applications; you’re also enabling your teams to innovate with confidence.
The Uptycs Blast Radius Mitigation Framework is a five-step journey to cloud security resilience. Read the guide to learn more.