Programming Challenge: Container Security Scanner (Jan 28, 2025)

Challenge:

Build a container security scanner that analyzes Docker images for vulnerabilities and misconfigurations. The system should check for outdated packages, excessive privileges, and potential security risks inside the container.

Basic Requirements:

✅ Scan a Docker image for known vulnerabilities.
✅ Identify and flag outdated dependencies.
✅ Detect privileged containers (running as root).

Bonus Features for Enterprise-Grade Security:

🔹 Integrate CVE Database: Use Trivy, Clair, or Grype to detect vulnerabilities.
🔹 Policy Enforcement: Block deployment of insecure images.
🔹 Runtime Security Checks: Monitor running containers for suspicious activity.
🔹 SBOM (Software Bill of Materials): Generate a list of all installed dependencies.
🔹 Kubernetes Integration: Scan images before deployment in CI/CD pipelines.

Example Implementation (Python + Docker API + Trivy)

import subprocess
import json

def scan_docker_image(image_name):
    print(f"Scanning {image_name} for vulnerabilities...")

    # Run Trivy security scan
    result = subprocess.run(
        ["trivy", "image", "--format", "json", image_name],
        capture_output=True, text=True
    )

    # Parse JSON output
    vulnerabilities = json.loads(result.stdout)
    critical_issues = [vuln for vuln in vulnerabilities.get("Results", []) if vuln["Vulnerability"]["Severity"] == "CRITICAL"]

    if critical_issues:
        print(f" Found {len(critical_issues)} critical vulnerabilities!")
        for vuln in critical_issues:
            print(f"- {vuln['Vulnerability']['ID']}: {vuln['Vulnerability']['Description']}")
    else:
        print(" No critical vulnerabilities found!")

# Example usage
scan_docker_image("nginx:latest")