Although many organizations are shifting security to the left and embracing the integration of security tools into their continuous integration / continuous delivery pipelines, there are others who have different wants and needs.

Private Registries

One popular use case for Tripwire for DevOps is the scanning of private customer registries. Tripwire for DevOps is able to periodically enumerate and scan the Docker images that exist in your private Docker V2 or hosted registries. We have recently expanded the hosted registry support to include Amazon Elastic Container Registry, Azure Container Registry, Google Container Registry and Quay.io.

New images are automatically discovered within the private registry, and vulnerability scans are performed per a user-defined schedule. This allows DevOps groups who wish to decouple vulnerability scanning from delivery or deployment with the ability to do so. Audits can be performed in parallel with build jobs without potentially interrupting a delivery pipeline.

Alerts

Of course, utilizing out-of-band image assessment requires a method of alerting the user when vulnerable images are found. With Tripwire for DevOps, users can send email alerts for vulnerable images on a global or repository basis, so responsible teams are sure to be notified of any vulnerabilities encountered.

The Quality Gate function allows the user to define what criteria qualifies as passing or failing within the Tripwire for DevOps system. The user may choose from pre-configured options or create a truly custom quality gate tailored to a specific Docker image. This allows teams responsible for each image to create their own alerting protocol.

Discovering vulnerabilities as early as possible is one of the core tenants of Tripwire for DevOps, and with image vulnerability analysis integrated into your build pipeline, you can ensure you are catching each problem early.

For organizations that desire a less integrated approach, you can still accomplish (Read more...)