- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-14-2025 09:56 AM
NOTE: MY POSTINGS REFLECT MY OWN VIEWS AND DO NOT NECESSARILY REPRESENT THE VIEWS OF MY EMPLOYER
Why?
Container image scanning is an important capability that ServiceNow provides. It gives the ability to regularly scan container images and provide details around the software packages that are included within that image. It additionally allows for SBOMs (Softoware Bill of Materials) to be generated in multiple formats. This is excellent for tracking the software deployed within container images not only for security purposes (log4j anyone?...) but also for risk and compliance purposes. (Who knows how many containerized SQL servers are currently being run in their environment and what their license impact is?)
In order to do these scans, ServiceNow is utilizing the open source container image scanner Trivy from Aqua Security.
As container image repository entries are added into the CMDB, they're batched up and passed over to any of the MID servers marked with the "Scan Container Images" capability. Those MID servers will then pull down their assigned images and run trivy against them. The CMDB will then be updated with the Container Image OS Packages and an SBOM will be attached to the image (if SBOM generation has been configured).
However, at the time of this writing all of the official documentation only covers utilizing a non-containerized MID server to do the scanning.
Seems to me if you're scanning container images it makes sense to do it from a containerized MID server.
How?
I won't be covering how to build the container and deploy it since I've covered that in a few other community articles. I'll cover the most important piece of changing the Dockerfile to get it to build and run properly.
Install 'which' utility into the image
The first step of the container image scan patern utilizes 'which' to determine if trivy is installed on the MID server. However, the default MID image doesn't come with which installed. In order to install it you'll need to make a change to the following section of the Dockerfile.
Change it from this:
# Install security and bugfix updates, and then the required packages.
RUN dnf update -y --security --bugfix && \
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
dnf install -y --allowerasing glibc-langpack-en \
bind-utils \
xmlstarlet \
curl \
procps-ng \
diffutils \
net-tools && \
dnf clean all -y && \
rm -rf /tmp/*
to this:
# Install security and bugfix updates, and then the required packages.
RUN dnf update -y --security --bugfix && \
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
dnf install -y --allowerasing glibc-langpack-en \
bind-utils \
xmlstarlet \
curl \
procps-ng \
diffutils \
which \
net-tools && \
dnf clean all -y && \
rm -rf /tmp/*
Note that which is inserted between diffutils and net-tools.
Install trivy application
Add the below lines to the Dockerfile that came with the container build download. They need to go following the section on adding the mid user and group to the container.
# Install the trivy image scanner
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin latest
This line comes straight from the Trivy install documents. It pulls down an install script from the git repo and then runs it to install the "latest" version of the trivy scanner. You may need to tweak the "latest" at the end of this line to be a specific version if the ServiceNow capability is behind on supporting the most recent version.
Now, as this image is being built it'll pull down the install script and install the latest version of trivy on the MID server image.
Once this is built and deployed in a cluster somewhere you'll need to take a close look at the documentation for the scan container images task to configure the rest of the capability. There's also another great overview KB article you can review as well.
- 755 Views
