Evaluating Container Security with Container Hardening Priorities: Some CHPs for Your SLSA

When you are evaluating the security of a container image, what are some of the criteria you look for? Certainly you don’t want to see many CVEs, but how are you assessing the total number of packages or determining where the image and its software is coming from? If you are someone who builds container images, how are you making guarantees to your end users around their security posture?

At Chainguard, we wanted to enable an easier assessment of images and provide a way to communicate the security of an image, ultimately helping teams make educated decisions around what images to run in production. Inspired by the Supply-chain Levels for Software Artifacts (SLSA) framework that communicates levels of assurance for software artifacts across the supply chain, Container Hardening Priorities (CHPs) provides concrete criteria for assessing the security of container images. CHPs is intended to be complementary to SLSA (hence the naming) and is focused on building container images, while SLSA takes a wider, holistic approach to supply chain security.

CHPs helps teams identify potential areas of improvement, and can be used to aid comparisons between images. By using CHPs as a standard across container images, you can more readily evaluate container images against each other, and be more informed about what security factors are essential for you, whether you are the end user or image builder.

CHPs Criteria 

To be focused, our first release of CHPs is focused on build time characteristics. In the future, we may consider expanding to cover runtime criteria such as making filesystems read-only and controlling networking access.

The criteria are split into four areas:

1. Minimalism: More software in a container means more potential for vulnerabilities. More tooling gives attackers extra resources they can use to further an attack (sometimes called Living Off The Land). This area checks how well the container image limits the software and tooling available.

2. Provenance: It's important to know where your images come from. You should know who built it and what's inside the image. This area checks if containers are signed and how much control they have over their contents.

3. Configuration and Metadata: This area checks the container configuration for various security best practices such as running as a non-root user.

4. Vulnerabilities: Vulnerabilities are software flaws or weaknesses that can potentially be exploited by an attacker. This area focuses on using tooling to identify if images have known CVEs. 

For each of these areas, the criteria have been split across levels named after chili peppers. Higher levels indicate criteria that are typically harder work or more complex to achieve, so signing images is relatively straightforward and at the only slightly spicy "Jalapeno" level, whereas having a fully reproducible build for an image is relatively complex and warrants the "Ghost" level.

The criteria are intended to provide the basis for conversations around potential improvements, they are not a guarantee of security. Each criteria's importance and relevance are highly dependent on context.

Grading

We developed a grading tool that can be used to automatically assess images against the criteria and produce badges that can be used on GitHub project pages.

For users, automated grading can help ease the pre-work burden of thinking through the security of a container image, or offer a gut check for images you are already using or have selected.

For projects that are providing images, grading can provide an easy way for you to show the security posture of your container images, while also identifying areas that you might want to improve on.

Contribute to CHPs 

We are actively looking for collaborators to join us in taking the specification forward. Send us an email at chps@chainguard.dev if this sounds interesting to you! If you have some specific feedback, feel free to open an issue or pull request on the repository. And of course, you can contact us if you have any other questions.

Please take a look at the spec and grading tool and see how your images score!