Software Integrity Blog


Black Duck supports securing containers in Red Hat OpenShift and CRI-O

Secure containers with Black Duck OpsSight, a complementary, automated image scanning solution that supports Kubernetes and OpenShift with a CRI-O runtime.

Black Duck and OpenShift 4 supports securing containers in CRI-O

If you’re thinking about using the CRI-O runtime, Synopsys has you covered for securing your containers in Kubernetes and Red Hat OpenShift. With the release of Black Duck™ OpsSight 2.2.2, CRI-O is supported, and it is the default configuration when you deploy OpsSight through, Red Hat OpenShift’s OperatorHub, or the synopsysctl utility.

“Red Hat is very excited about Synopsys’ support of OpenShift 4 and CRI-O. Synopsys tools like Black Duck and the OpsSight Connector bring additive and complementary application security capabilities to our Red Hat OpenShift joint customers. Synopsys has realized the power of Operators by building the Synopsys Operator to easily deploy their security tools.”

—Jason Dobies, Principal Technical Marketing Manager, Red Hat

Securing containers with software composition analysis

Black Duck OpsSight secures containers by automatically identifying and monitoring third-party open source in container images in OpenShift. Let’s dissect this sentence:

  • Black Duck: OpsSight is essentially a Black Duck integration for Kubernetes. We have named it OpsSight for two key reasons:
    1. The integration benefits a slightly different persona (Ops) than the traditional Black Duck persona (Dev).
    2. The integration is completely automated and focuses on scanning containers, whereas traditional Black Duck deployments focus on applications.
  • Automatically: OpsSight is deployed through the Synopsys Operator, which means that its performance is optimized for OpenShift. For example, you can run $ oc get opssights since OpsSight is now a Kubernetes Custom Resource.
  • Monitor: Through the Black Duck KnowledgeBase™, which is maintained by the Synopsys Cybersecurity Research Center team, OpsSight users will be notified of newly discovered vulnerabilities in previously scanned images deployed in OpenShift. Additional metadata will be added in OpenShift through image and pod labels and annotations.

Black Duck OpsSight secures containers by automatically identifying and monitoring third-party open source in all container images in OpenShift.

  • Third-party open source: Red Hat does an amazing job of maintaining a ton of open source and creating patches for their customers. Black Duck OpsSight adds to Red Hat’s capabilities by covering open source software included in the 18,000 data sources that feed the Black Duck KnowledgeBase.
  • Container images: OpsSight scans all container images that are deployed, regardless of image source or registry. OpsSight doesn’t connect to external registries but catches the container image as it’s being deployed. OpsSight can scan images in OpenShift’s internal registry.
  • Images: It’s the last word, but one of the most important to note. OpsSight uses Black Duck software composition analysis to scan the container image. For CRI-O deployments, OpsSight uses the skopeo copy command, which generates an archive file for Black Duck SCA’s signature scan to analyze.

Black Duck OpsSight deployment use cases

I also want to mention a couple of popular OpsSight deployment use cases we have seen over the past two years with our customers.

  1. Secure production. Install OpsSight in every production cluster. This use case ensures that your Operations team knows that every single container image within your cluster is scanned and monitored with Black Duck OpsSight. OpsSight has a very minimal footprint and is not installed on every node.
  2. Secure your OpenShift CI/CD pipeline. If you have set up CI/CD in your OpenShift cluster, you can add OpsSight as a pipeline step to check Black Duck labels on the image to effect the promotion of container images into separate environments, like staging or production. The OpsSight pipeline step essentially just reads the label, because OpsSight automatically scans the image when it’s created earlier in the CI process.

The key to secure containers

Whether you’re just beginning your journey toward container technologies or you’ve been running containers in productions for years, identifying, securing, and monitoring the open source components within those containers needs to be a key part of your process. The good news is Synopsys Software Integrity tools have you covered throughout the entire software development life cycle and into production with Black Duck integrations like OpsSight. The better news is that now you can have complete confidence that OpsSight provides a complementary, automated image scanning solution that supports Kubernetes and OpenShift with a CRI-O runtime.

Learn more about the Synopsys and Red Hat partnership


More by this author