What strange cryptography is lurking in the 50 most popular Docker container images?
Short answer: last month we decided it would be interesting to test the 50 most popular Docker base images with Cryptosense Analyzer to see what we could find. See the results here.
More and more of us deliver our applications in containers. Often, we build our final container images on existing base images, which means our production deployments inherit everything that’s in there. It’s a well-known best practice to scan the base image for vulnerabilities using a software composition analysis (SCA) tool to check for vulnerable components, and ensure there are no private keys or credentials accidentally checked in there.
But what about the cryptographic artifacts, like keys and certificates, that I inherit from my base image. How secure and compliant are those? Do they imply trust in servers that I want my final application to trust?
To find out, we ran our container cryptography scanner over the 50 most popular Docker base images and sent the results to Cryptosense Analyzer Platform (CAP). You can see the results for yourself by opening up a free access to CAP (the Docker image results are preloaded on free accounts).
Highlights include self-signed certificates, private keys, and insecure keys including 1024-bit DSA and RSA code-signing keys.
Note that none of these constitute immediate vulnerabilities in the base image - otherwise we wouldn’t be revealing them publicly. Indeed, in some cases, they show how a holistic cryptography scan avoids some of the false-positive issues associated with typical private-key scans. However, they certainly bring to light things you don’t want in your final deployed artifacts - particularly if you operate with sensitive data or in regulated environments.
The good news is that, with a CAP free account, you can also scan your own final container images and get a full crypto inventory and vulnerability analysis. In the next few weeks, we’ll be explaining how you can use this to set up container crypto checks in your CI/CD pipeline with our integrations. Even better, we’ll show you how you can audit the cryptographic operations your application really makes with our application tracers, and cross-reference the results, all in the same account. So you might like to sign up for one now.