Reduce security vulnerabilities

Red Hat build of Podman Desktop 1.1

Explore how you can reduce the security vulnerabilities of your container images.

Red Hat Customer Content Services

Abstract

Discover, secure, and deploy hardened container images using the bundled Hummingbird and Grype extensions.

Preface

Discover, secure, and deploy hardened container images to significantly reduce attack surface. As a built-in extension, Hummingbird scans your local registry and suggests an alternative hardened image. Combined with the Grype extension, you can compare an image and its alternative including the image size and the number of common vulnerabilities and exposures (CVEs).

The bundled Hummingbird extension provides minimal, hardened, and secure container images. To bring these capabilities into the developer workflow, the Hummingbird extension provides a searchable catalog of these images. The Grype extension integrates Content from github.com is not included.Syft and Content from github.com is not included.Grype to scan container images and display known security vulnerabilities. The Hummingbird extension uses the Grype extension to provide security scanning and offer a secure image alternative.

Important

The Grype extension is supported outside the core Service Level Agreement (SLA). Bug fixes and feature requests are addressed on a best-effort basis, with a focus on community-led contributions and available technical resources.

Benefits

Enhanced security visibility: You can easily scan local images to view in-depth details about security vulnerabilities.
Actionable alternatives: Instead of just reporting issues, the extension provides a dedicated page displaying hardened image alternatives from the Hummingbird catalog.
Streamlined migrations: A dedicated clone form makes it simple to clone an existing container with a new, secure Hummingbird image. The extension also clones the container configuration and applies it to the new base image.
Flexible and resilient: The extension supports multiple providers and handles workflows correctly even if the Grype extension is not installed.

Impact

Proactive risk mitigation: Empowers you to confidently identify and assess known security risks before deployment by seamlessly scanning local container images.
Streamlined transition to secure containers: Eliminates the friction of adopting secure base images by natively replacing standard APIs with the Hummingbird catalog, providing exact hardened alternatives, and seamlessly automating the cloning process via background tasks.
Intelligent image management: Automatically manages complex edge cases during migrations, successfully transitioning users even when the secure Hummingbird base image is physically larger than their current local image.

Chapter 1. Discover, secure, and deploy hardened container images

Using the bundled Hummingbird, you can discover the vulnerabilities in your container images, secure those images by replacing them with alternative hardened base images, and deploy them seamlessly in your workflow.

Prerequisites

You have logged in using the Red Hat Authentication extension. For more details, refer to This content is not included.Access Red Hat content for development.

Procedure

Go to the Hummingbird page from the left navigation pane.
Perform one of the following steps:
- Discover a new secure hardened container image:
  1. Click the Catalog tab and locate or search for a hardened image.
  2. Click the Pull button for that extension to use the container image.
- Discover a secure alternative to your current base container image and deploy:
  1. Click the Alternative tab. A list of your current images and their hardened image alternative is displayed. You can see the difference in the image size and CVEs for each image. You can also view detailed insights on the alternative and the base image.
  2. Click the container image you want to clone.
  3. Click the Clone button.
    Note
    Select the Stop existing container before proceeding (recommended) option to stop the container before cloning.
    When cloning is complete, a success message is displayed. Also, the configuration of the base image is automatically applied to the alternative container image.

Additional resources

Legal Notice

Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.

The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.

All other trademarks are the property of their respective owners.