The adoption of microservice architecture and containerized workloads at Target continues to grow rapidly across our product teams. This movement has provided our security engineering organization with a number of new challenges as we try to align with modern build processes and ensure that these new dynamic/ephemeral workload structures remain secure. This shift has also provided our group with a number of opportunities to further customize our security tools and create features that provide valuable continuous and self-service capabilities that never existed before.

An example of one of these homegrown innovations is Port Authority, which we first launched at Target in early 2017. Port Authority is an API service that delivers component-based vulnerability assessments for Docker images at time of build and in run-time environments. The API is capable of orchestrating scans of individual public or private images as well as entire private Docker registries like Docker Hub, Google Container Registry or Artifactory. To accomplish this, Port Authority breaks each Docker image into layers and sends it to the open source static analysis tool Clair in the backend to perform scans and identify vulnerabilities. Upon completion of this workflow, Port Authority creates and maintains a manifest of each image and scan result. Port Authority also provides developers with additional customizable offerings to assist with the audit and governance of their deployed containers. For run-time inspection, Port Authority achieves this by integrating with Kubernetes to discover running containers and inventory those deployed images for scanning. For enforcement, Port Authority provides a web-hook that, when leveraged by a Kubernetes admission controller, will allow or deny deployments based on customizable policies.

We are now happy to announce that we are taking our API-driven container security service beyond our walls for all security practitioners to use and to further evolve through the developer community.

Open Source project: Port Authority

Scan a Docker Image

Use a simple curl command at any time to have Port Authority initiate a component-based vulnerability scan of any public or private Docker image.

curl -X POST \
  http://192.168.99.100:31700/v1/images \
  -H "accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "Image": {
    "Registry": "https://registry-1.docker.io",
    "Repo": "library/postgres",
    "Tag": "latest",
    "RegistryUser": "",
    "RegistryPassword": "",
    "Metadata": {
      "data": "is so meta"
    }
	}
}'

Scan a Docker Registry

Configure Port Authority to orchestrate scans of an entire private registry. This includes popular platforms such as Docker Hub, Google Container Registry and Artifactory.

curl -X POST \
  http://192.168.99.100:31700/v1/crawlers/registry  \
  -H "accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
      "RegCrawler":
      {
        "Registry": "mybinrepo",
        "Repos": ["path/toimage"],
        "Tags": ["latest"],
        "MaxThreads": 100,
        "Username": "mybinrepo_username",
        "Password": "mybinrepo_password"
      }
    }'

Run-time Image Scanning

Port Authority’s APIs create inventories of running containers within a Kubernetes cluster and initiate vulnerability scans using Clair to identify and track security risks post-deployment.

curl -X POST \
  http://192.168.99.100:31700/v1/crawlers/k8s  \
  -H "accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
      "K8sCrawler":
      {
        "KubeConfig": "",
        "Context": "minikube",
        "Scan": true,
        "MaxThreads": 10
      }
    }'

Customizable Policy Engine

Port Authority provides a web-hook that, when leveraged by a Kubernetes admission controller, will allow or deny deployments based on customizable policies and image attributes.

curl -X POST \
  http://192.168.99.100:31700/v1/policies \
  -H "accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
    "Policy": {
      "Name": "default",
      "AllowedRiskSeverity": "",
      "AllowedCVENames": "",
      "AllowNotFixed": false,
      "NotAllowedCveNames": "",
      "NotAllowedOSNames": ""
    }
  }'

The primary author and architect of Port Authority is Erik Thoreson, a lead engineer on the digital security team at Target. Port Authority was the first API service that Erik ever built and released for the enterprise. The following engineers contributed to the open source effort: