Enforce Docker Image CIS Policy Compliance with Tripwire for DevOps

We are working hard adding features to our new Tripwire for DevOps service, initially announced at BlackHat 2018. If you are a loyal State of Security follower, last you read we added Auditing for Amazon Machine Images (aka AMIs). Today, we are introducing CIS policy compliance auditing for Docker images.

Tripwire for DevOps allows you to evaluate your Docker Images to check for policy compliance at build time. Doing so ensures those images are compliant with CIS policies before they are put into production.

How To

Whether you are experimenting with the service or integrating it with your CI/CD build tool e.g. Jenkins or GoCD or Travis CI, policy compliance scanning is enabled using the twdevops command line ‘-policy CIS’ flag.

Currently, this feature is only available for Docker images, but stay tuned for an update on AMI scanning.

Once the image is pushed and you have a request id, you can check for the status of the scan

Once the scan is complete (Status: ScanComplete), fetch the results in either JSON or JUnit formats (JSON example shown)

I did not include scan results here… it was just too much data. Handy tip: The JSON output contains information familiar to existing Tripwire Enterprise customers, including the remediation details provided by our CIS Policy content team.

The online documentation contains additional details about the twdevops command line as well as for the platform and policy support.

Now that you have scanned an image, you can see the dashboard now includes Policy Results.

Now that an image has been scanned, the Tripwire for DevOps web interface displays both the Policy and Policy Test information in addition to Vulnerability and Application information per Docker image.

Policy results are in the dashboard.

Matching Policies and Policy Tests can be found when (Read more...)