Because nobody asked us to: we’re going to start scanning your containers for security vulnerabilities.
If you’re running the latest flyctl, you can play with this today:
flyctl registry sbom - get json sbom of single image by app/image, or app/machine.
flyctl registry vulns - get vulns in json format or in filtered text format by app/image or app/machine
flyctl registry vulnsummary - get table summary of vulns for app images for all apps in org, or a specific app
Some quick backstory:
The core of this platform is an engine that converts OCI (Docker) containers into MicroVMs. To do that, we run both a large-scale multitenant Docker registry and a fleet of container storage engines on all our workers. When you flyctl launch something, we’re building a Docker-style container, layer-by-layer, pushing it to our registry, and then demand-fetching it onto our workers.
This is a lot of work! It takes a lot of engineering effort to make this reliable. “The registry” is an unsung hero of our architecture. So, to keep its morale high, we’ve been looking for features to spotlight the value of the registry.
One thing having a consistent OCI layer registry gives you is the ability to generate “SBOMs”; that’s “Software Bill of Materials” for non-IT-security nerds. An SBOM is a standardized record of all the software components that make up your app. It turns out that building a container puts you in a pretty good vantage point to generate an SBOM, and so that’s a thing we’re doing now: if you launch an image here, we’ll make an SBOM for it.
The obvious next question is “why would I care that I have an SBOM”, and, (1) we feel you, and (2) the “hello-world” of “using an SBOM” is “scanning it for vulnerabilities, based on reported CVEs”. So that’s the first thing we’re doing with them.
Those of you who have (checks notes) ever used Github are well aware with one of the annoying failure modes of vulnerability scans, which is “they generate reams and reams of Javascript Prototype Injection vulnerabilities I don’t care about”, and, (1) we feel you and (2) we’re still noodling about this and (3) our first-cut answer to this is that we’re going to curate the vulnerabilities we present as serious vulnerabilities — wait, let’s put a paragraph break here.
The “feature” you should think about us rolling out here, a month or so from now, is “if there is another Heartbleed or Shellshock vulnerability, and you are shipping code to prod that is vulnerable, Fly.io will try to tell you about it”. We’re scanning for all of the (container-visible) vulnerabilities, but we’re going to do our best to make noise only about the stuff you actually need to drop tools and fix; the advantage of “security” being the second-largest engineering team here is that we can do things like that.
But in the immediacy, if you just want an interesting report of what’s visible from the SBOM of whatever app you’re shipping: go build your own flyctl and kick the tires. We promise: all of these command line options will break before we ship the final version of this, so you have nothing to lose from playing with this but your sanity.
Here’s a whirlwind tour of how you can use this on your apps. The easiest thing to do is to get a quick summary of issues in packages in your app images. You can do this org wide or on specific apps, and filter out specific issues by criticality or ID:
fly registry vulnsummary -o personal
fly registry vulnsummary -a my-favorite-app
fly registry vulnsummary -o personal -S CRITICAL
fly registry vulnsummary -o personal CVE-2023-45853 CVE-2023-6879
If you see anything that scares you, you can get a more detailed report for a single application, with filtering if you wish:
fly registry vulns -a my-favorite-app CVE-2023-45853 CVE-2023-6879
fly registry vulns -a my-favorite-app -S CRITICAL
If you want more control or even more details, you can just grab the SBOM and use the tooling of your choice. These SBOMs were generated using trivy, and trivy is great at presenting detailed results. You should grab it and try it!
brew install trivy
fly registry sbom -a my-favorite-app > sbom.json
trivy sbom sbom.json