In the world of cybersecurity, container security has become a top priority. Containers are increasingly used by businesses to develop and deploy applications quickly and efficiently. However, containers can also be vulnerable to attack. That's why it's important to use secure images to create your containers.
RapidFort is a company that generates secure images for Docker. Their images are based either on an image base from Bitnami or on official images from publishers (the image is then named "rapidfort/nginx-official") and are regularly updated to correct vulnerabilities. RapidFort offers (by paid subscription) a variety of security features, such as vulnerability discovery, vulnerability remediation and security monitoring.
The benefits of RapidFort images
There are many advantages to using secure images:
- Enhanced security: secure images are less vulnerable to attack than official images. A vulnerability report is provided by RapidFort for each container.
- Compliance: these images can help you comply with your company's security requirements, in line with existing SSI policies.
- Better performance: images often outperform unsecured/official images, as they are lighter and contain no superfluous content.
- Better time-to-market: these images are hardened, already optimized and ready to use. So you spend less time analyzing and optimizing your containers.
How do I use RapidFort's secure images?
To use RapidFort's secure images, you can either create an account on their website, or use one of the public secure images available on Docker Hub. Subscriptions are available for companies with specific needs, but it's easiest to contact the sales team directly for an official price quote.
If you use one of the public secure images available on Docker Hub, you won't need to create an account. However, you won't have access to the advanced security features offered by RapidFort (SSO, vulnerability tracking, container limit increase and technical support). To date, I've been pulling RapidFort containers from Docker Hub, with no problems or constraints so far.
A quick comparison between a RapidFort Nginx container and an official Nginx container:
- Smaller: the RapidFort Nginx container (rapidfort/nginx) is smaller than official Nginx containers, uses less disk space and can reuse other layers of RapidFort containers.
- More secure: the container is more secure than official Nginx containers, as it is updated and has already been cleaned to correct known vulnerabilities.
- Image from Bitnami, so custom configuration and checking before use (especially to integrate your data and configurations).
Rapidfort/nginx container report. The image size is reduced by 4 (!), as is the number of vulnerabilities, compared to an official nginx image.
- Official sources, so you're assured of a container that's been made reliable by its creator.
- Strict monitoring of configuration, file paths and locations.
- It's not as optimal as it could be, but it works without question.
How I use it
The rate at which RapidFort containers are updated is slower than official builds. It's important to note that today, considering the current IT context, prioritize security over performance.
I use RapidFort containers on a daily basis, including for this website. Whether for MariaDB, Nginx or redis databases, I try to use these hardened images as much as possible. Occasionally, certain applications are not compatible with RapidFort builds, notably because a library or program (curl, wget) no longer exists in the image. In such cases, I use an official "stock" image.
An example where I don't use the RapidFort image because there's no added value: Traefik. According to the report, only a few packages have been removed and the base image reduced. This is due to the use of an "Alpine" base image and the bare minimum already installed in the official Traefik build. I therefore use the official image directly, rather than the RapidFort one.
Search and compare builds, look at the Dockerfile and the way the container is built. Don't totally trust just because it's an official image, study the design and think about the best way to set up your container. Take into account your infrastructure, your needs and your constraints.
Sometimes I even copy two Dockerfiles to generate my own Dockerfile, with a Debian-slim base, to control what's in the container as closely as possible.
Here I list the RapidFort images I use in my homelab. Rather than using a "latest" version that might be incompatible with other containers, I force a version for each image.
Bases de données
- https://hub.docker.com/r/rapidfort/mariadb (docker pull rapidfort/mariadb:10.11)
- https://hub.docker.com/r/rapidfort/postgresql (docker pull rapidfort/postgresql:15.3)
- https://hub.docker.com/r/rapidfort/mysql (docker pull rapidfort/mysql:8.0)
- https://hub.docker.com/r/rapidfort/nginx (version stable : docker pull rapidfort/nginx:1.24)
- https://hub.docker.com/r/rapidfort/redis (docker pull rapidfort/redis:7.0)
- https://hub.docker.com/r/rapidfort/prometheus (docker pull rapidfort/prometheus:2.44)
Ce que j'envisage d'utiliser (tests en cours) :
- Ghost : https://hub.docker.com/r/rapidfort/ghost (docker pull rapidfort/ghost:5.52)
- HAProxy : https://hub.docker.com/r/rapidfort/haproxy (docker pull rapidfort/haproxy:2.8)
- ElasticSearch : https://hub.docker.com/r/rapidfort/elasticsearch
- Vault : https://hub.docker.com/r/rapidfort/vault
- Telegraf : https://hub.docker.com/r/rapidfort/telegraf
There are also some container images from the "Iron Bank" entity. The images are entitled "rapidfort/nomImage-ib". At first, I was a little surprised to see so little information about this supplier. After a little research, it turns out to be an OCI compliant image repository, in addition to complying with the "container hardening DoD" guide from the U.S. Department of Defense. So these are hardened images, even more hardened, strictly adhering to specific processes and conventions. I haven't yet taken the time to test these images, which are very much RHEL-based.
Have you ever used this kind of container image?
Translated with www.DeepL.com/Translator (free version)