Suppose all of your docker images have a security vulnerability, now how do you force a rebuild of these images? How do you deploy the new images without breaking things? In this talk, you’ll learn how to push and audit cascading security updates to hundreds of docker images. All of the tooling we will use is open source so you can easily take advantage of it. You will also learn how to integrate the cascading updates into your Jenkins CI/CD system which enables performing a verified cascade in the correct order.
4. Security Researcher
Vulnerability
Code Change
Public Disclosure
Distribution Package
OS Base Image
Python Base Image
Java Base Image
Node Base Image
Application Image
Application Image
Application Image
Application Image
5. Security Researcher
Vulnerability
Code Change
Public Disclosure
Distribution Package
OS Base Image
Python Base Image
Java Base Image
Node Base Image
Application Image
Application Image
Application Image
Application Image
MANUAL
14. Dockerfile Image Update
Command line tool developed at Salesforce
Designed to be invoked by Jenkins
Open sourced!
https://goo.gl/VQXBXk
15. Dockerfile Image Update
Scans GitHub for all images that use the parent image
Parent Image: The image name you have just built
Version: The version of the image
Persistance Repo: GitHub repository that contains mapping of image names to desired version
# dockerfile-image-update parent <parent image> <version> <persistance repo>
18. Dockerfile Image Update
When do we use it?
For every image in image-tag-store:
Recreate pull requests for images not on intended versions
Run at specific time cadence
# dockerfile-image-update all image-tag-store
21. LiveDemo
• https://jenkins.afalko.net/jenkins
• Demo script
- Scan shows images all have vulnerability caused by base OS
- Pull request made to fix base image
- Pull request merged and children updated
- Vulnerability fixed for all images!
31. Further Improvements
Users and Contributors Welcome!
https://goo.gl/VQXBXk
Feature wishlist
Auto-merge support
Maven Spotify plugin support
Update docker-compose and Kubernetes pod.yaml
Expand to other packaging types
Auto-detect changes of image tags
Bitbucket and Gitlab support
32. Acknowledgements
Thank you!
Min Ho Park: Salesforce intern that wrote initial version of dockerfile-image-update
Engineers who helped on design, fixes, features, and production support at Salesforce:
Justin Harringa
Nelson Wolf
Jinesh Doshi
Lyft productivity team who built and designed similar tooling at Lyft:
Ryan Lane
Aneesh Agrawal
Brian Witt