💻Practice
Podman Aqua Scan 실습
date
Jul 7, 2023
slug
podman-aqua-scan
type
Post
status
Public
progress
Done
category
💻Practice
tags
Container
summary
Podman에서 Aqua Scanner로 이미지 스캔하기
thumbnail
updatedAt
Jun 26, 2025 04:39 AM
author
이거 참고해서 CentOS 7에 Podman 4.x 버전 설치… 하려 했으나 이건 못할짓이다 싶어서 그냥 CentOS 8 구하기로함..
왜 굳이 CentOS에다가 하려고 하고 있지? 싶어서 걍 딴 우분투에 하기로..
쓰기 쉽지 않네..
podman 소켓은 기본적으로 활성화되어 있지 않으므로 enable, start 해주어야 한다고 함
준비됐으면 시작
#레지스트리 로그인 podman login registry.aquasec.com Username: <아쿠아 레지스트리 계정> Password: <아쿠아 레지스트리 패스워드> #아쿠아 스캐너 다운로드 podman pull registry.aquasec.com/scanner:2022.4
⬇️스캐너 실행
Self-Hosted ver.
lystest@test:~$ podman run -v /run/user/1000/podman/podman.sock:/var/run/docker.sock --rm --privileged registry.aquasec.com/scanner:2022.4 scan --register jerbi/eicar:latest --registry "Docker Hub" --host 'https://a8b2a45a166d045c49d3e7dc3a3db3cf-36409479.ap-northeast-2.elb.amazonaws.com' --user 'administrator' --password 'Aquasecurity1!' --show-negligible --no-verify --htmlfile out.html --jsonfile out.json
Poman의 소켓을 컨테이너의 Docker 소켓으로 마운트해서 Podman이 Docker API를 사용해 Docker Hub의 이미지를 스캔할 수 있는 방식
2023-07-07 08:17:14.070 INFO Logger started with level INFO 2023-07-07 08:17:14.511 INFO Registering with server {"os": "linux", "os_version": "", "registries": []} 2023-07-07 08:17:14.940 INFO Successfully registered {"scanner_id": 7} 2023-07-07 08:17:16.765 INFO Calling Trivy scanner... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:16.765 INFO Start fetching security feed from server... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:16.771 INFO Latest security feeds need to be pulled from server. {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:17.512 INFO Latest security feeds need to be pulled from server. {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:18.227 INFO Latest security feeds need to be pulled from server. {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:18.938 INFO End fetching security feed from server... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "seconds": 2} 2023-07-07 08:17:18.938 INFO Connecting to Trivy server at {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "URL": "https://cybercenter5.aquasec.com/trivy/v1/scan"} 2023-07-07 08:17:19.536 INFO Contacting CyberCenter... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "url": "https://cybercenter5.aquasec.com"} 2023-07-07 08:17:20.270 INFO Contacting CyberCenter... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "url": "https://cybercenter5.aquasec.com"} 2023-07-07 08:17:26.654 INFO Start getting assurance policies from server... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:26.656 INFO Getting assurance policies... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:27.625 INFO End getting assurance policies from server... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "seconds": 1} 2023-07-07 08:17:27.625 INFO Contacting CyberCenter... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "url": "https://cybercenter5.aquasec.com"} 2023-07-07 08:17:30.089 INFO Start processing results... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:30.226 INFO End processing results... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "seconds": 0} 2023-07-07 08:17:30.226 INFO Start applying assurance policies... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:30.235 INFO Applying image assurance policies... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy"} 2023-07-07 08:17:30.235 INFO End applying assurance policies... {"registry": "Docker Hub", "image": "jerbi/eicar:latest", "requested platform": "amd64:::", "job ID": "fe6ef354-aef2-499d-af0d-d861e9b030d7", "server version": "2022.4.9c08d6d8b5", "scanner": "trivy", "seconds": 0} { "image": "jerbi/eicar:latest", "registry": "Docker Hub", "scan_started": { "seconds": 1688717835, "nanos": 293286234 }, "scan_duration": 15, "digest": "sha256:fc0637e6a36265984e5634c2852687d5992a51f8a146e9e1f5d2793505bef5b3", "metadata": { "repo_digests": [ "eicar@sha256:9a0d238325e222e3f40a4f49b3e9323c8577404ff65419c26e2dd8dfc337bad9" ] }, "os": "alpine", "version": "3.8.0", "resources": [ { "resource": { "type": 1, "path": "/eicar.com.txt", "name": "eicar.com.txt", "cpe": "file:/3395856ce81f2b7382dee72602f798b642f14140", "hash": "sha1:3395856ce81f2b7382dee72602f798b642f14140", "layer_digest": "sha256:1488b80abf2a4166f47514306c52e77a2f1081b8937f91182ad6fee005d52c68", "hash_md5": "md5:44d88612fea8a8f36de82e1278abb02f" }, "scanned": true, "malware": [ { "name": "Eicar-Test-Signature" }, { "name": "Win.Test.EICAR_HDB-1" }, { "name": "EICAR test file" } ] }, { "resource": { "format": "apk", "name": "musl", "version": "1.1.19-r10", "cpe": "pkg:/alpine:3.8.0:musl:1.1.19-r10", "license": "MIT", "layer": "/bin/sh -c #(nop) ADD file:25f61d70254b9807a40cd3e8d820f6a5ec0e1e596de04e325f6a33810393e95a in / ", "layer_digest": "sha256:73046094a9b835e443af1a9d736fcfc11a994107500e474d0abf399499ed280c", "src_name": "musl", "src_version": "1.1.19-r10" }, "scanned": true, "vulnerabilities": [ { "name": "CVE-2019-14697", "type": "vulnerability", "description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.", "nvd_score": 7.5, "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "nvd_severity": "high", "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14697", "publish_date": "2019-08-06", "modification_date": "2023-03-03", "fix_version": "1.1.19-r11", "solution": "Upgrade package musl to version 1.1.19-r11 or above.", "nvd_score_v3": 9.8, "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "nvd_severity_v3": "critical", "aqua_score": 9.8, "aqua_severity": "critical", "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "aqua_scoring_system": "CVSS V3", "heuristic_ref_id": 328567, "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", "aqua_score_classification": "NVD CVSS V3 Score: 9.8", "cwe_info": [ { "Id": "CWE-787", "name": "Out-of-bounds Write" } ] } ] }, { "resource": { "format": "apk", "name": "musl-utils", "version": "1.1.19-r10", "cpe": "pkg:/alpine:3.8.0:musl-utils:1.1.19-r10", "license": "MIT,BSD-3-Clause,GPL-2.0", "layer": "/bin/sh -c #(nop) ADD file:25f61d70254b9807a40cd3e8d820f6a5ec0e1e596de04e325f6a33810393e95a in / ", "layer_digest": "sha256:73046094a9b835e443af1a9d736fcfc11a994107500e474d0abf399499ed280c", "src_name": "musl", "src_version": "1.1.19-r10" }, "scanned": true, "vulnerabilities": [ { "name": "CVE-2019-14697", "type": "vulnerability", "description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.", "nvd_score": 7.5, "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "nvd_severity": "high", "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14697", "publish_date": "2019-08-06", "modification_date": "2023-03-03", "fix_version": "1.1.19-r11", "solution": "Upgrade package musl-utils to version 1.1.19-r11 or above.", "nvd_score_v3": 9.8, "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "nvd_severity_v3": "critical", "aqua_score": 9.8, "aqua_severity": "critical", "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "aqua_scoring_system": "CVSS V3", "heuristic_ref_id": 328567, "ancestor_pkg": "musl", "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", "aqua_score_classification": "NVD CVSS V3 Score: 9.8", "cwe_info": [ { "Id": "CWE-787", "name": "Out-of-bounds Write" } ] } ] } ], "image_assurance_results": { "disallowed": true, "audit_required": true, "policy_failures": [ { "policy_id": 6, "policy_name": "Malware-Default-Policy", "blocking": true, "controls": [ "malware" ] } ], "checks_performed": [ { "failed": true, "policy_id": 6, "policy_name": "Malware-Default-Policy", "control": "malware", "malware_found": 3, "malware_file_scanned": 29 }, { "policy_id": 7, "policy_name": "Sensitive-Data-Default-Policy", "control": "sensitive_data" } ], "block_required": true }, "vulnerability_summary": { "total": 2, "critical": 2, "malware": 3, "score_average": 9.8 }, "scan_options": { "scan_executables": true, "scan_sensitive_data": true, "scan_malware": true, "scan_files": true, "scan_timeout": 3600000000000, "manual_pull_fallback": true, "save_adhoc_scans": true, "use_cvss3": true, "dockerless": true, "system_image_platform": "amd64:::", "telemetry_enabled": true, "enable_fast_scanning": true, "memoryThrottling": true, "suggest_os_upgrade": true, "adhoc_scan_retention": 30, "enable_diff_ids": true, "is_trivy_enabled": true, "register_image": true, "socket": "docker" }, "initiating_user": "administrator", "pull_name": "registry-1.docker.io/jerbi/eicar:latest", "original_registry": "Docker Hub", "scan_id": 1, "required_image_platform": "amd64:::", "scanned_image_platform": ":::", "security_feeds_used": { "executables": "244a03c1780e17" }, "image_id": 2, "internal_digest_id": { "id": 1 }, "isAdhocRegister": true, "OriginFromHostImage": true, "FileHashEncoding": "zlib" } 2023-07-07 08:17:37.964 INFO Deregistering from console 2023-07-07 08:17:37.997 INFO Scan successfully completed. 2023-07-07 08:17:37.997 INFO Compliance Failure (4): failed the following policies: [Malware-Default-Policy]
파일로 안떨궈짐.. why…?
SaaS ver
podman run -v /run/user/1000/podman/podman.sock:/var/run/docker.sock --rm --privileged registry.aquasec.com/scanner:2022.4 scan --register redis:latest --registry "Docker Hub" --host 'https://42cfa76ab8.cloud.aquasec.com' --user 'yslee+aqua@cloocus.com' --token '48e9a514-de76-43ad-9500-6f518b7fd649' --show-negligible --no-verify --htmlfile out.html --jsonfile out.json
라이센스 초과… → 추가 요청함
Trouble Shooting
⇒ sudo 없이 실행해야함