Developers are continuing to leverage containers to reliably move software applications between environments, making them an integral part of every DevOps pipeline. In fact, according to Sonatype’s 2019 State of the Software Supply Chain Report, there are more than 2.2 million containerized applications housed in Docker Hub— up from 900,000 the previous year. And according to the 2019 Container Adoption Survey, developed by Portworx and Aqua Security, 87% of respondents are running container technologies, and 90% of those using containers, are doing so in production.But as with applications, the open source components found within the containers themselves at the runtime and operating system level can be inherently risky. Another recent study by Kenna Security found that 20% of all Docker containers have at least one critical vulnerability and the average container has 176 CVEs.
That is why it is so important to secure containers across every phase of the SDLC, ensuring that developers have precise intelligence into the open source risk at every level of the container- application, OS, and runtime layers. While we have supported policy enforcement of containerized applications for some time, I am now happy to announce that we have developed an integration to Red Hat Clair (a free open source container scanning solution) to combine Nexus Lifecycle’s unique intelligence and policy enforcement at the application layer with Clair’s insight into open source risk at the operating system and runtime layer.
We heard from customers that a single view into container security is very important and governing open source risk with one normalized Nexus Lifecycle policy is also important. Now both are possible with this new offering. Watch this demo to learn how it works.
In addition to this integration, we also developed a third party API to make it easy for our customers to integrate with any container scanning solution. Now you can leverage your best-of-breed container scanning solution with Nexus Lifecycle to continue to innovating at scale while eliminating risk.
If you are a Nexus Lifecycle customer, you can start using this integration today with IQ Server release 77. Review our Clair Integration documentation and our Third Party API documentation to learn more and get started quickly. As always if you have questions, connect with Sonatype experts and your peers at my.sonatype.com.