Page Comparison

1

Select base image

Choose a lightweight, reliable base image. Consider using official or security-enhanced images. i-PRO's SDK provides base images, so please use them unless you need additional information.

2

Image vulnerability scan

Regularly scan container images with tools to identify and remediate vulnerabilities.

3

Creating a secure Dockerfile

Create Dockerfile securely. Don't install unnecessary packages, use ADD instead of COPY, minimize user privileges, etc. Many of these practices can be detected by the vulnerability tools listed above.

4

Applying security context

Minimize risk by setting appropriate permissions and resource limits on your containers. The i-PRO camera restricts these settings, and an error will occur if you try to start the container with settings outside the permitted range. To avoid this error, please use the template settings provided by i-PRO.

5

Container network security

Configure your network settings appropriately and avoid opening unnecessary ports. It also applies security policies to communication between containers.

6

Logging and monitoring

Monitor containers and collect logs to quickly detect anomalies and security incidents. It is necessary to implement output logging with an appropriate amount and content.

7

Confidential data measures

Avoid keeping sensitive data inside containers. If you want to handle sensitive data or safely manage application settings, you need to take measures such as using a secure storage solution. The i-PRO camera provides a data storage environment using named volumes as a method.

8

CI/CD pipeline security

ビルド、テスト、デプロイの各ステージでセキュリティチェックを実施し、不正な操作や脆弱性のあるコードを検出・修正します。先述の脆弱性のスキャンツールの使用もその一つです。CI/CDパイプラインに適切なアクセス制御を設定し、セキュリティのベストプラクティスを遵守してください。

9

SBOMの作成と管理

脆弱性の管理やサプライチェーンリスクマネジメントのために、SBOMを作成・管理し、イメージに含まれるOSSを把握することを推奨します。We perform security checks at each stage of build, test, and deployment to detect and fix unauthorized operations and vulnerable code. This includes using the vulnerability scanning tools mentioned above. Set up appropriate access controls in your CI/CD pipeline and adhere to security best practices.

9

Creating and managing SBOM

Create and manage SBOM for vulnerability management and supply chain risk management. We recommend that you understand the OSS included in the image.

buildhost$ dockle  mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0

INFO     - CIS-DI-0005: Enable Content trust for Docker

• export DOCKER_CONTENT_TRUST=1 before docker pull/build

INFO     - CIS-DI-0006: Add HEALTHCHECK instruction to the container image

• not found HEALTHCHECK statement

INFO     - CIS-DI-0008: Confirm safety of setuid/setgid files

• setuid file: urwxr-xr-x bin/su

• setuid file: urwxr-xr-x usr/bin/chsh

           <<<<........ SNIP ........>>>>

• setgid file: grwxr-xr-x sbin/unix_chkpwd

INFO     - DKL-LI-0003: Only put necessary files

• unnecessary file : app/docker/linux/arm64v8/base/Dockerfile

• unnecessary file : app/docker/linux/arm32v7/base/Dockerfile

           <<<<........ SNIP ........>>>>

• unnecessary file : app/docker/windows/arm32v7/base/Dockerfile