Chainguard & Iron Bank Imaging¶
With coordination among Platform 1 (P1)(), the government-designated Game Warden Information Systems Security Manager (ISSM), and the Second Front Systems (2F) Security team, each container will be assessed for approval on the Game Warden platform. This process gives 2F flexibility to assess and accept the risk of application containers.
Containerization and Imaging¶
Your application must be containerized to deploy on the Game Warden platform. Your team is free to utilize whichever container tools you prefer; however, Game Warden recommends the following options to significantly simplify the onboarding of your application to the Game Warden platform:
Chainguard Containers
- While there are fewer image container options available from Chainguard, we recommend checking their inventory first before moving to Iron Bank’s container options.
Iron Bank Containers
- These containers have been scanned by Platform One and offer a number of options to application developers.
Build your own/find other options
-
You can build your own containers or find options other than Chainguard or Iron Bank. We recommend Chainguard and Iron Bank for their security compliance which helps mitigate Common Vulnerabilities and Exposures (CVEs) unearthed by our security scanning tools.
-
If you opt for this third option, we recommend utilizing the free, open-source scanning tools Trivy and Grype to get a sense of CVEs your team will need to resolve.
Note
Critical and High CVEs will be evaluated on a case-by-case basis to determine the security impact. Low and Medium CVEs over the threshold should always be considered for remediation as a priority. A CVE Memo is required for any justification needs, alternatively.
Distroless Images¶
Chainguard and Iron Bank offer a collection of container images that includes both distroless and development images. Distroless images are designed to be minimal and only contain the software needed to run an application or service. They don't include a shell or package manager, and are built using Wolfi, a Linux undistro designed for the cloud-native era.
Where possible, the Game Warden team recommends utilizing distroless containers. Distroless containers provide a number of benefits for your applications and deployments:
-
Smaller size resulting in reduced download times and lower costs
-
Enhanced security due to minimized attack surfaces, fewer dependencies, and fewer vulnerabilities
-
Simplified management to include easier debugging, reduced build complexity, and improved portability
Base Images¶
The 2F Security team will perform a review of the Iron Bank and Chain Guard base image vulnerability scans and inherit vulnerabilities found on those scans if the image is unmodified. If you think that a vulnerability is supposed to be Inherited from the base image, please add a note stating inherited from base. They will conduct a review of the vulnerability.
In order to mark CVEs with the "Inherited From Base Image" Justification, the base image must be pulled from a trusted source, such as P1 Iron Bank and Chain Guard. For Iron Bank,
Note
The CVE in question must be on the Iron Bank Vulnerability Assessment Tracker (VAT) scan at the time of request for security review. Any CVEs marked "Inherited from base image" that are not on the Iron Bank VAT scan will be sent back to the customer to choose another justification option. If a vulnerability is in the VAT Scan but is marked "Needs Justification" it cannot be marked as "Inherited from base image" and will require a justification to be provided from the customer. If you are using an image from Iron Bank, the 2F team will compare the Scan Lab Results with the VAT results to ensure "Inherited from base image" vulnerabilities are marked correctly.
Tip
There are key components the government AO and 2F evaluate when reviewing vulnerability justifications.
Tip
The Iron Bank Acceptance Baseline Criteria has justification templates to ensure you provide consistent information.
What should we do about findings that are in the parent, Iron-Bank image?
Chainguard Containers¶
Chainguard is a collection of container images designed for security and minimalism, and is a good alternative to Iron Bank base images. The primary advantage of Changuard images are their reduced size and complexity, generally resulting in zero Common Vulnerabilities and Exposures. Your team can build upon Chainguard base images and push them to the Game Warden Harbor repository. If you use a Chainguard image with the latest tag, it is free. They do support older versions of these images but using them will incur an expense.
Pulling Chainguard Images¶
You can access Images directly from the Chainguard Registry. The Chainguard Registry provides public access to all public Chainguard Images, and provides customer access for Production Images after logging in and authenticating.
Info
There are two different tracks of Chainguard Images: Production Images and Developer Images. Developer Images are publicly available and free to use by anyone. Developer Images always represent images tagged with :latest or :latest-dev. Production Images are enterprise-ready images that come with patch SLAs and features such as Federal Information Processing Standard (FIPS) readiness and unique time stamped tags. There are also specific major and minor versions of open source software available as Production Images.
You can find complete lists of all the Developer and Production Images available to you in the Chainguard Console. After logging in, you will be able to find all the current Developer Images in the 'Public images' tab. If you’ve selected an appropriate Organization in the drop-down menu above the left hand navigation, you can find your organization’s Production Images in the 'Organization images' tab.
Note
Specific package versions can be made available in Production Images. If you have a request for a specific package version, please contact Chainguard support.
Info
Learn more about Chainguard images here.
!!! warning "Precautions'' Chainguard images are free only if they have the latest tag. Chainguard will always label their newest images with the latest tag, so if you have automation established to always pull the image with the latest tag into Game Warden, be aware that updates in the image could disrupt your application’s functionality. This can be avoided by pulling the image and tagging it with your app version before pushing to Game Warden. - If you need to use an image that is not offered for free, please reach out to your TIM or CSM to learn more about our partnership with Chainguard.
Chainguard Frequently Asked Questions¶
What does 2F’s partnership with Chainguard mean for me?
There are two key benefits for Second Front customers: discounted pricing and ease of access to images.
Second Front Systems has negotiated significantly discounted rates on Chainguard images for our customers. We also have a registry powered by Chainguard, so you’ll be able to easily access your Chainguard images.
What should I do if I want to learn more?
Reach out to your Customer Success Manager (CSM)!
It’s important to go through your CSM and not direct to Chainguard. Since these discounts are for Second Front customers only, we have a formal registration process that kicks off when you engage your CSM. This will help Chainguard properly track that you’re a Game Warden customer and expedite your sales process with Chainguard.
What are each team’s roles for the Chainguard billing process?
Once you let your Customer Success Manager know you’re interested, we’ll connect you with a Chainguard sales representative. The sales process is between you and Chainguard. You are agreeing to their terms and payment is between your two teams. Once you’ve closed with Chainguard, the Second Front team steps in to get you access to your new Chainguard images.
Who do I reach out to if I have issues with my image?
The Second Front team is here to help you access your Chainguard images. If there’s a problem with your image, create a ticket with Second Front so we can look into it internally first. If needed, we’ll work with you to engage Chainguard support.
How do I engage Chainguard support?
If you want to engage Chainguard support, you’ll need a login. Let your Customer Success Manager know you’d like one and we can request account creation with the Chainguard team. You’ll receive email notification that your account has been created and you’ll be able to login and submit a ticket.
Which images can I purchase from Chainguard?
Chainguard maintains hundreds of images. You can search for your image of interest here.
What if I don’t see the image I need?
Chainguard is constantly adding new images to their library. If you don’t see an image you need, let your CSM know. If it’s an open source image that Chainguard can support, Chainguard can build it for you in a matter of weeks.
Why would I pay for Chainguard images if there are free images available?
Free Chainguard images are a great resource to explore how to engage with their solution. However, Chainguard does not recommend using their free images for software deploying to production environments. Free images require using the “latest” tag, so are updated frequently and without notice.
Over time, Chainguard is phasing out their free images and many of their images will not have a free option available.
How can I be confident the image won’t have vulnerabilities?
Search for the image you need here.
Once you find the image, click on the latest version. A side navigation will open on the left of your screen and you can click “Vulnerabilities” tab to see if there are any known CVEs.
How often are Chainguard images updated?
Chainguard images are maintained by the Chainguard team and updates are pushed twice daily. Second Front’s registry syncs with these update times, so your images are updated in near real-time.
Who is responsible for addressing vulnerabilities in an image?
Chainguard images are no-to-low CVEs. Chainguard will help you address a vulnerability (provide appropriate justification, etc.) if it’s a known vulnerability in their image. In most cases, you will see zero vulnerabilities in Chainguard images.
If you build on top of or add software to an image, you (not Second Front or Chainguard) are responsible for any CVEs that exist.
Iron Bank Containers¶
Iron Bank is a registry that stores containerized images that have been scanned by Platform One (P1) and align with Department of Defense (DoD) standards. These images can be pushed to Harbor (instructions here), our secure registry, and eventually deployed to Game Warden.
An Iron Bank container can either be compliant or non-compliant with the Acceptance Baseline Criteria (ABC). There is also an Overall Risk Assessment (ORA) score; 100% is the best, and 0% the worst.
Example:
Iron Bank Image Usage and Responsibilities¶
Warning
It is your team’s responsibility to understand the Acceptance Baseline Criteria (ABC) compliance and Overall Risk Assessment (ORA) rating of your Iron Bank containers.
Containers with the following ratings in Iron Bank will have the highest probability of being approved for use on the Game Warden platform:
-
Acceptance Baseline Criteria: Compliant
-
ORA score: 80% or greater.
If an Iron Bank container does not initially satisfy the security requirements, you may be required to select a different image. Containers that do not meet this threshold might still be approved after being reviewed by the Game Warden Security team.
Warning
Containers may become non-compliant and/or receive a lower ORA score at any time when Common Vulnerabilities and Exposures (CVEs) exceed the timeline requirements. To help with this uncertainty, please notify 2F of any Iron Bank containers you plan to use that are currently shown as compliant and have a good ORA score. The Game Warden team will do its best to support their use.
When image compliance changes, your team must coordinate with the image owner, through P1, to resolve the issue. As an alternative, you can migrate to an acceptable image; preferably, this would be an updated and compliant image. If the Iron Bank base image becomes non-compliant due to End of Life (EoL), for example, you should switch to an updated base image with an appropriate ABC criteria and ORA score.
Typically, there is a substantial overlap (such as 6-12 months) between when a new base image is introduced and when the previous version becomes EoL. As a best practice, application developers should check for updated image versions monthly (at minimum) and transition to the new releases. This will improve application security and ensure government compliance.
What is End of Life (EoL)?
A container with an End of Life designation will no longer be supported or updated by the image owner. Iron Bank containers marked EoL are less likely to be approved for Game Warden platform deployments. The image below displays an example container which has been EoL.
The image below displays an example container which has been marked EoL.
Pulling Containers from Iron Bank¶
To pull containers from Iron Bank (or if your application is not built on an Iron Bank-approved base image):
- Log in to the Iron Bank Hardened Containers Catalog.
You will need to create a Platform One SSO if you do not have this credential. -
Use Search to locate your preferred image in the Catalog.
-
Click this image to access the Registry One Docker Pull Command.
-
In the example below, the Docker pull command appears as:
docker pull registry1.dso.mil/ironbank/big-bang/argocd:v2.4.7`
Note
You must be registered and logged in to Registry One for the Docker pull command to work.
Iron Bank Container Approval in Game Warden¶
2F may approve unmodified container images that are ABC compliant or meet acceptable risk levels. It is the responsibility of the application developer to use the latest approved images that can be found on Iron Bank’s website. This ensures the image remains compliant and has the latest (or most current) security updates.
Using the Iron Bank UI, search for the image you would like to use; the latest or most current image appears first. All available images should populate, and you can use the tag drop-down menu to switch between different image versions.
The 2F Security team will review container scans and inherit any artifacts found in the selected container. Game Warden customers will notify the 2F Security team when a new base image is used prior to uploading to the 2F Harbor Repository. When an Iron Bank image is approved for use in Game Warden, the approved vulnerability justifications for the base image will be shown as inherited in Game Warden Scan Lab and in the Deployment Passport; therefore, these vulnerabilities will not require further effort from the application developer.
The Game Warden Scan Lab image below displays examples of Inherited from Base Image justifications.
If a specific image is selected and is comprised of multiple layers, it is possible for the 2F Security team to review the selected container to determine if base layer vulnerabilities can be Inherited from Base Image.
Example
GW Assessment Example You would like to use a Postgresql11 image that is “Non-compliant” and has an ORA score of 26%. The vulnerabilities in the “Postgresql11” layer are the reason why this container is receiving said scores. You can request that the 2F Security team review this container. When the 2F Security team reviews the “Postgresql11” container, the team finds that the base layer of “Postgresql11” is the latest version of UBI9. UBI9 is “Compliant” and has an ORA score of 85%. Since the base layer of the “Postgresql11” container meets acceptable risk levels, the 2F Security team is able to “Inherit” justifications from ONLY the Iron Bank UBI9 base layer. You must remediate (own) the vulnerabilities included in the Postgresql11 layer.
Please reach out to support here with your content feedback.