Introduction to OCIR
Last May, Oracle introduced Oracle Cloud Infrastructure Registry (OCIR) on Oracle Cloud Infrastructure for container-native developers to store Docker images.
Usage of this new cloud service has grown rapidly. Its primary use is to store container images and is used along with Container Engine for Kubernetes (OKE), a managed Kubernetes service on Oracle Cloud Infrastructure.
Customers have asked how to scan container images that are stored in OCIR and add more security and control to CI/CD pipelines. To answer these questions, we are highlighting a solution that focuses on vulnerability and compliance - Twistlock.
Connecting a solution like Twistlock is simple. Supply the Twistlock setup screen with a username (in the form of tenancy_name/user_name), an Oracle Cloud Infrastructure-generated auth token, and the target registry, such as phx.ocir.io. You can create service accounts to fulfill this need, with policies limited to read-only access of the registry.
How Twistlock Helps
Twistlock is a cloud-native security platform. Started in 2015 as the first solution for container security, Twistlock’s platform now uses the benefits of cloud-native technology to make application security better - more automated, more efficient, and more effective.
A key way this happens is by ‘shifting left’ and ensuring security isn’t just a runtime activity. Twistlock’s native integration with OCIR allows Twistlock to identify vulnerabilities and compliance issues for all images stored in registry, and block the use of images that contain violations. Preventing risky container images from being deployed reduces your runtime risk and helps development teams correct issues faster.
Twistlock easily integrates with OCIR to provide an overview of risks in your registry
But knowing about a vulnerability isn’t enough for container images. Containers pose three distinct challenges to vulnerability management:
To tackle these problems, Twistlock does three things:
1. Twistlock uses over 30 upstream sources to source CVE information. It then parses, correlates, and consolidates the data into the Twistlock Intelligence Stream. By comparing multiple sources and going direct to vendors, Twistlock is able to provide a reduced false positive rate when compared to traditional vulnerability management tools.
2. Twistlock generates a risk score for every CVE detected that is specific to your deployment and environment. This lets you prioritize what to fix in the registry, based on the risk that it brings to your production environment.
3. Twistlock provides a per-layer analysis of every CVE detected, showing the exact layer of the container image where the CVE was introduced. This makes fixing vulnerabilities quicker - no more hunting down which layer the CVE originated in.
Twistlock factors in specifics from your environment to create a tailored risk score for each CVE.
Twistlock’s per layer analysis makes it easy to pinpoint where CVEs are introduced.
To learn how the Twistlock platform provides zero-touch active threat protection, layer 3 micro-segmentation along with cloud-native layer 7 firewalls, and precise vulnerability management, visit Twistlock.com/platform.