What is Automated Container Hardening?

Automated Container Hardening streamlines the process of securing your containers for production and removing unnecessary components that could contain vulnerabilities. We do this by creating a repeatable process running in CI/CD that produces a new, production-ready container every time you update your code.

Typically, organizations using this process reduce their vulnerability counts by 50 to 80 percent on their first run. And this process can be implemented in CI/CD to create a system of continuous, automated supply chain security without all the manual effort of current tools.

A container’s hardening profile is developed by wrapping the original container with a layer containing the Slim Sensor, which observes the running container and sends observations back to Slim.AI.

Slim then uses the observations, along with custom logic, to understand what’s really needed in the container. We remove everything that’s unnecessary for the container to operate and create a new, functionally-equivalent, more secure container image.

These instructions will show you how to connect to your registries, scan your images for vulnerabilities, and harden your first container image.

In This Guide:

What you’ll need:

The following instructions assume that you have a Slim.AI account. You'll also need...

  • The ability to connect us to your container registry (Docker Hub, GitHub Container Registry, GitLab Container Registry, AWS ECR, Quay, GCR, DigitalOcean, and ACR are currently supported)
  • The image(s) you would like to harden available in your connected registry
  • The ability to run the images locally or to deploy them to a test environment where you can exercise them by running your tests

Let’s get started!

Sign in to the Slim portal at https://portal.slim.dev.

Once signed in, make sure you’re working within the correct organization by looking at the box in the top right corner with your username.

Checking to make sure I'm logged in with the correct organization.

Switch organizations if necessary by hovering over your username to reveal your organization options.

Step 1: Connect your Registries

Click on "Connectors" in the top navigation. This is where you can connect and manage your registry connectors. The Slim platform allows you to connect to as many of your registries as needed.

A view of many registry connectors available to Slim users.

Select your registry provider (ECR, GitHub, GitLab, etc.) and authenticate your connector using the mechanism provided. Specific instructions per registry provider are available when connecting your registry.

The Slim platform requires read-write access to your connected registries in order to scan, harden, and push images back to your registries.

Once your registries are connected, navigate to "Home" and click on the "Connected Registries" tab under the search bar. Here you should see your registries and be able to browse through them to find the images you would like to scan and harden. They are listed by Registry Provider → Connector → Repo → Images+Tag.

Checking the Connected Registries tab to see which of my Connectors are active.

Confirm that the images you’re interested in scanning and hardening are available. If they are not, please reach out to our team in the Slim.AI Discord Community for assistance.

Step 2: Scan An Image

The Slim portal provides two mechanisms for finding images to scan. You can use the Connected Registries tab on the Home screen to browse your images, or search for them using either the search bar on the Home screen or the magnifying glass icon in the top navigation.

Once you have found an image or images to scan, click the "Explore" button to start a scan. Initial scans take 30s to 1m depending on the size and complexity of an image.

Clicking to explore the default version of an nginx container.

To see an example of scan results prior to connecting to a registry, search for nginx and click on the first result under Public Images.

Once scanned, you can view an Overview of metadata and insights about the image, browse and view files in the File Explorer, view an automatically generated Dockerfile, and view our vulnerability scan information.

Step 3: Install and Configure the Slim CLI

While you can harden images via the Slim SaaS UI, automated container hardening is best done using our CLI tool. Download it and install it via the instructions found here:

https://portal.slim.dev/cli

To configure the CLI, first you need to generate an Access Token.

Navigate to https://portal.slim.dev/settings and click on the "Tokens" tab.

Click "Add Token", name your token and click "Save."

Naming my Slim.AI Access Token.

Once the token has been generated, copy the token by clicking the "three dots" button in the "Actions" column; and click "Copy token." Save your token somewhere safe. You will need it when configuring the CLI or using the Slim API.

Copying my Access Token to the Clipboard to paste later when I configure the CLI.

Install the CLI According to the https://portal.slim.dev/cli page, but please don’t follow the ‘generate and save a CLI config file’ instructions; instead, use this command to add the token you copied to the CLI:

slim config gen --save --token YOUR_TOKEN —–org YOUR_DP_ORG

Note: Make sure you’re using the org you want, rather than the default. To copy your desired org ID, in the Slim portal hover over your username at the top right to reveal the drop-down, and select ‘Personal information.’ Then select the Organizations tab to reveal a list of your org IDs.

Your CLI should now be configured with access to your organization and the ability to harden images.

Step 4: Harden an Image

There are three stages to hardening an image: Instrument, Observe, and Harden.

Stage One: Instrument

With your registry connected to the Slim platform, pick an image you want to harden. For instance, my-registry/my-org/app:1.23.

Instrument an image by adding an extra layer with the Slim sensor:

 slim instrument my-registry/my-org/app:1.23

If the image names cannot be derived successfully, you can try using the full version of the command:

slim instrument \
    --instrumented-image my-registry/my-org/app:1.23-my-instrumented \
    --instrumented-image-connector rkcn.CONNECTOR_ID \
    --hardened-image my-registry/my-org/app:1.23-my-hardened \
    --hardened-image-connector rkcn.CONNECTOR_ID \
    --target-image-connector rkcn.CONNECTOR_ID \
    my-registry/my-org/app:1.23

To find the Connector_ID, you can use this helper command:

slim connectors ls

You can also find your desired Connector ID in the Connectors tab of the Slim portal. Scroll down to view your authenticated connectors. In the Actions column, click the pencil icon next to a connector and it will open the connector settings page. Here, you’ll find the Connector ID.

By default, the slim instrument command will push an instrumented version of the image back to the same container repository with -slim-instrumented appended to the original image name and tag.

If you want to use a different name for the instrumented or hardened images, you can find the corresponding flags in the slim instrument —help output.

Getting the Workflow ID

The slim instrument command outputs a workflow ID once completed. This is a unique ID for the workflow process and will be used in a later step when we go to harden the image.

You can save it simply by chaining the output to an environment variable (below) or by copying and pasting it from the command line once the instrumentation is complete.

NX_ID=$(slim instrument ... )

Stage Two: Observe

The next step is to run the instrumented image to let our sensors do some runtime analysis.

Run a container using the instrumented image. Make sure you use the following:

  • root user
  • ALL capabilities
  • --pull always flag (to ensure the latest instrumented image is always pulled)

The Docker run command should look like this:

$ docker run --pull always -d --rm \
  --user root \
  --cap-add ALL \
  -p port1:port2 \
  --name my-registry/my-org/app:1.23

Hardening on Kubernetes

It is possible to harden images directly in Kubernetes as well. The process is more complex and outside the scope of this document, but you can find a demo and description in our GitHub repository: Kubernetes example.

Exercising the container

Thoroughly "exercise" the running container. Any of the following will work:

  • Click through the UI
  • Send requests to the API
  • Run test suites

This is a necessary step in order for the Slim Sensor to see the container in action and monitor kernel processes that for our hardening profile.

Gracefully stop (don’t kill!) the container, giving enough time to the sensor to save the report:

docker stop -t 999 <container>

On Kubernetes, this would be done with:

kubectl delete --grace-period 120 deployment minion

In both cases, note the timeout flags that give the container time to stop running and submit information back to the Slim platform about your container.

You can repeat the exercise step as many times as you want, running multiple instances of the instrumented container. The more reports submitted, the more complete the hardened image will be.

Stage Three: Harden

Finally, produce the hardened image using the report(s) from the previous step:

slim harden --instrumented-image
    my-registry/my-org/app:1.23-slim-instrumented

Or:

slim harden --id rknx.WORKFLOW_ID 

(You can find the WORKFLOW_ID in the output from the Instrument stage).

The hardened image will be stored in your registry with the -slim-hardened tag suffix.

You can pull and test the hardened image using the same tests or steps you used to exercise it in the Observe step.

docker run my-org/app:1.23-slim-hardened

Note that no elevated capabilities or the root user are required to run this image.

With that, you now have a hardened container. You can log back in to the Slim platform to assess its vulnerabilities and move it to production.

Additional Resources