• CramHacks
  • Posts
  • [Sponsored] CramHacks: Securing Containers with RapidFort

[Sponsored] CramHacks: Securing Containers with RapidFort

Curated Images, hardening at scale, and security benchmarking. I'm genuinely impressed by RapidFort's instrumentation and hardening workflows.

Part 2 of 2: We’re back with another blog post sponsored by RapidFort. This post covers RapidFort’s offerings, including curated images and the RapidFort platform. If you want to learn more about their free-tier hardened images, check out Part 1.

RapidFort is a container security platform trusted by the Department of Defense that revolutionizes how organizations manage container vulnerabilities. The platform offers two tiers of container images: free “Community” images that come pre-hardened for enhanced security and premium “Curated” images that maintain near-zero CVEs through continuous patching. Beyond these images, RapidFort provides developers with a comprehensive toolchain to profile, harden, and benchmark containers within their CI/CD pipeline—with both an on-prem and SaaS offering.

Sounds interesting? Get a free 30-day trial license!

In every RapidFort conversation I’ve had, the discussion has started with something like, “How do they differ from Chainguard?” So, there’s no hiding that they are competitors, but what makes them different?

The most significant differentiator is that RapidFort’s offerings cater to organizations wanting to use Linux distributions with long-term stability, such as Ubuntu, Red Hat, Debian, and Alpine. Additionally, RapidFort’s platform goes beyond offering images with fewer vulnerabilities; it also provides attack surface management features that simplify scanning, profiling, and hardening your applications.

The attack surface management piece is hugely important. Yes, using base images with no or few CVEs is a great start, but what about the issues introduced via your application?

Curated Images

The easy button is Curated Images. These are hosted via a RapidFort quay instance to pull and use. They’re marketed as “Near Zero Vulnerability Images,” but perhaps more importantly, they come with all the desirable compliance checkboxes. Check out Your Guide to Zero CVE Images: A Practical Approach for more details.

It’s worth noting that RapidFort is primarily a byproduct of the DoD’s desire to secure its software supply chain, securing over $10 million in contracts. In addition, RapidFort’s tooling is used in part to create the hardened images offered via Iron Bank. Needless to say, compliance is a priority.

Zachary Burke, the former Chairman of Iron Bank, discusses the bank's history and considers RapidFort “A Brilliant Solution To An Almost Impossible Problem.”

I first created a project on RapidFort’s platform. Conveniently, there’s an option to connect my registry to onboard my images quickly. What’s neat about this feature is that it’ll assess which base images are in your registry and compare them to RapidFort’s Curated Images. From here, you can quickly evaluate, for instance, “your Nginx base image has 50 vulnerabilities, RapidFort has a comparable image with zero vulnerabilities.”

Curated Images are why people generally think of Chainguard. But again, RapidFort’s images are tailored toward those wanting to continue using LTS Linux distributions. Want to use Nginx with Ubuntu? No problem.

The idea is to start with their curated images, mostly eliminating vulnerabilities in your base images. Then, use the RapidFort Platform to further harden that image by profiling your usage of it at runtime and pruning what is unused.

The hardening options are as follows:

  • Light: Removes all unused packages with associated High or Critical CVEs but will retain those with unknown, medium, low, or no vulnerabilities

  • Standard: Removes unused packages with known vulnerabilities, regardless of severity, and retains unused packages with no vulnerabilities.

  • Aggressive: Removes all unused packages based on profiling.

  • Custom hardening profiles: --profile <file> specifies a hardening profile file 

overview of RapidFort hardening profiles

Harden an Image With RapidFort

For this example, I will use the Nginx-latest container image for Nginx v1.27.4 (the latest version). Docker Hub reports 231 packages and 61 known vulnerabilities, which match the results of my Docker Scout scan via CLI. 

nginx vulnerabilities reported by Docker Scout

When scanned using RapidFort’s tooling, which also onboarded the project into the platform, it found 150 packages and 47 vulnerabilities. The breakdown is also nice: 16 have known exploits, 33 have fixes, and zero were found in CISA’s catalog of known exploited vulnerabilities.

OMG, KYLE DOCKER SCOUT FOUND MORE VULNERABILITIES. IT MUST BE BETTER!!! No. Docker Scout reported dozens of false positives, primarily because of dependency relationships and poor CVE entries. RapidFort has a separate list of 45 “RF Advisories.” These are CVEs that RapidFort has determined to be false positives, most of which I validated myself because I have trust issues 😅.

For instance, Docker Scout reported CVE-2022-3219, which the GnuPG maintainers have deferred for years. Fortunately, RapidFort removed it as a vulnerability and provided a justification. This is especially meaningful given the number of CVE submissions for bugs despite no definitive security risk.

RapidFort justification for RF Advisory

Now that we’ve scanned the image, it has been onboarded into the platform. We can see its SBOM, licenses, vulnerabilities, file structure, etc. The next step is instrumenting the image so we know what junk can be deleted to slim it down. To do this, we generate a stub image, run it, and then use whatever functionality from the image we’d expect in production. This generates an RBOM, or Real Bill of Materials because it identifies the packages called when the image is used.

running nginx-stub for profiling

Once the stub has been profiled, you can stop the instance and use the rfharden tool to produce a new image that consists of only the packages required for the functionality identified during instrumentation. This means that as a user, there should be no difference in experience when using the hardened image versus the original.

The following image is the output from the hardening process in aggressive mode. We’ve removed all unused packages during profiling, resulting in a massive reduction in size and total vulnerabilities 😯.

results of hardening nginx-stub

Returning to the platform, we can also evaluate which specific files were used or unused and which were removed in the hardened image. At first glance, the results make perfect sense—for instance, RapidFort removed files relevant to the apt and ssh packages because they were not used during my runtime profiling.

Security Benchmarks

RapidFort curated images come pre-tagged with FIPS and STIG compliance, but what about your resultant container image? The same tooling used to scan these curated images is made available to customers, allowing you to run benchmarks against your image and receive a detailed report.

Support varies per operating system, but generally, there are benchmarks for ANSSI, CIS, CJIS, NIST, ACSC, HIPAA, and PCI-DSS. The current target operating systems for these benchmarks include:

  • Centos 7

  • Centos 8

  • Debian 10

  • Debian 11

  • Debian 12

  • Opensuse Leap 15

  • Oracle Linux 7

  • Oracle Linux 8

  • Oracle Linux 9

  • Rhel 7

  • Rhel 8

  • Rhel 9

  • Rhel 10

  • Ubuntu 16.04

  • Ubuntu 18.04

  • Ubuntu 20.04

  • Ubuntu 22.04

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.