View Categories

Streamlining Container Image Security with Grype and Argus

2 min read

Grype is an open-source tool designed to scan container images and filesystems for vulnerabilities. It analyzes container image layers and dependencies, helping you identify known vulnerabilities in installed software packages. By leveraging Grype, you can detect security risks before deploying container images to production environments.

Argus complements this capability by providing a free, open-source enterprise security platform that includes centralized logging, real-time monitoring, and incident response automation. By integrating Grype with Argus, you gain a comprehensive view of your container security posture and can take proactive measures to address vulnerabilities.

This guide walks you through the integration process, including container image scanning with Grype, custom script configuration, and monitoring vulnerability alerts via the Argus dashboard.
Infrastructure Setup
Prerequisites

  • Argus: Pre-built Argus virtual appliance including the Argus server, indexer, and dashboard.
  • Ubuntu Endpoint: With Argus agent installed and Grype.
    Ubuntu Endpoint Configuration
    Install Docker Engine and Pull Container Images
  1. Update system packages and install cURL: apt update && apt install curl -y
  2. Install Docker Engine: curl -sSL https://get.docker.com/ | sh
  • For RPM-based systems, start the Docker service: systemctl start docker
  1. Set up a project directory: mkdir /container_env && cd /container_env
  2. Create a Docker Compose file: touch docker-compose.yml Add the following content to docker-compose.yml: services:
    nodejs:
    image: node:latest
    container_name: nodejs_container
    restart: always
    ports:
    • 3000:3000
      volumes:
    • ./app:/app
      working_dir: /app
      environment:
    • NODE_ENV=production
      mongo:
      image: mongo:latest
      container_name: mongo_container
      restart: always
      redis:
      image: redis:latest
      container_name: redis_container
      restart: always
  3. Pull the container images: docker compose pull
  4. Verify the container images: docker image ls Example output: REPOSITORY TAG IMAGE ID CREATED SIZE
    redis latest 1a83fd5edeed 6 days ago 117MB
    node latest 3d4b037e6712 13 days ago 1.11GB
    mongo latest ff65a94ec485 4 weeks ago 795MB
    Install Grype
  5. Install Grype: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s — -b /usr/local/bin
  6. Verify Grype installation: grype –version Example output: grype 0.78.0
  7. Update the Grype vulnerability database: grype db update
    Create a Custom Bash Script and Configure Argus Command Module
  8. Create a custom script directory and file: mkdir /var/ossec/custom-script/ && touch /var/ossec/custom-script/grype_scan.sh
  9. Add the following content to grype_scan.sh: !/bin/bash TEMPLATE_DIR=”/tmp”
    TEMPLATE_FILE=”$TEMPLATE_DIR/custom.tmpl” cat < “$TEMPLATE_FILE”
    “Package”,”Version Installed”,”Vulnerability ID”,”Severity”
    {{- range .Matches}}
    “{{.Artifact.Name}}”,”{{.Artifact.Version}}”,”{{.Vulnerability.ID}}”,”{{.Vulnerability.Severity}}”
    {{- end }}
    EOL images=$(docker images –format “{{.Repository}}:{{.Tag}}”) for image in $images; do
    grype_output=$(grype $image -o template -t $TEMPLATE_FILE)
    while IFS= read -r line; do
    formatted_line=Grype:”\”$image\”,$line”
    echo “$formatted_line”
    done <<< “$grype_output”
    done rm -f “$TEMPLATE_FILE”
  10. Grant executable permissions: chmod +x /var/ossec/custom-script/grype_scan.sh
  11. Change ownership: chown root:wazuh /var/ossec/custom-script/ -R
  12. Edit the Argus agent configuration file:
    Add the following to /var/ossec/etc/ossec.conf: no /var/ossec/custom-script/grype_scan.sh 5d no yes 0
  13. Restart the Argus agent: systemctl restart wazuh-agent
    Argus Server Configuration
    Create Decoders and Rules
  14. Create a decoder file: touch /var/ossec/etc/decoders/grype_decoders.xml Add the following content: ^Grype:
    grype-decoder “(.+)”,”(.+)”,”(.+)”,”(.+)” image, package, version, vulnerability_id, severity
  15. Create a rules file: touch /var/ossec/etc/rules/grype_rules.xml Add the following rules:
    grype-decoder Grype alert detected.
    100101 Critical Grype alert [Critical]: Vulnerability ‘$(vulnerability_id)’ detected in package ‘$(package)’ version ‘$(version)’ on container image ‘$(image)’.
  16. Restart the Argus manager: systemctl restart wazuh-manager
    Visualizing Vulnerability Alerts on Argus Dashboard
  17. Navigate to Search > Discover.
  18. Use the query rule.groups:grype to filter Grype alerts.
  19. Add relevant fields (e.g., agent.name, data.image, data.severity) as columns.
    Filtering by Severity
  • Critical Alerts: rule.groups:grype and rule.id:100102
  • High Alerts: rule.groups:grype and rule.id:100103

Save filtered queries for easy access.

Leave a Reply

Your email address will not be published. Required fields are marked *