According to Dirk Hohndel, VP and chief open source officer at VMware, compliance for containers remains a significant issue in the open source field and one that poses a huge risk to the community. In trying to sound the alarm, he sat down for an episode of TFiR’s “Let’s Talk” series to discuss the compliance and security of container images, echoing the message he delivered during a previous “Don’t Ship That Container” presentation at Open Compliance Summit. Both highlighted challenges around how to package and deploy secure containers, explaining how the format works and illuminating the struggle to understand vulnerabilities inside a container image. 
During his appearance on “Let’s Talk,” Dirk explained to Swapnil Bhartiya why established industry practices for container security aren’t necessarily the best policies. “One of the key concerns is if you look at the Dockerfiles for a lot of the containers that you can get from Docker Hub, you will see in these Dockerfiles things that are allegedly best practices but in my mind are actually worst practices,” Dirk said. For example, Dirk mentioned that the prevalence of downloading a random binary from a user’s GitHub account, making it executable and running it in a container represents a security and compliance nightmare for developers and security teams.
Conceptually, container compliance isn’t a new problem, but most developers look at containers as something completely new and for which the rules and requirements just changed. In reality, containers are package informant. Most in the industry are overlooking many of the crucial components that come with packaging and shipping containers. The way in which the tooling around container compliance works and the established practices in the industry have created an environment where the right thing isn’t always done, according to Dirk. This may lead to vulnerabilities in a containerized application that forms the basis of another platform. (As an aside, we recently profiled, which completes vulnerability scanning of a given container image.)
Because of that, “this whole topic is something that has grown in attention, relevance and participation over the last year,” Dirk said. In fact, the Linux Foundation recently launched their Automated Compliance Tooling (ACT) project. The ACT initiative, which VMware donated its Tern project to, is meant to help people better understand what’s inside their containers and manage compliance requirements. Ultimately, this type of coordinated initiative is critical for a secure open source environment.
It also hammers home the overlooked aspect of container compliance. This isn’t a criticism of containers—the underlying technologies are solid and strong. Rather, it’s a comment on how the industry is changing and how we’re putting these solutions together and thinking about innovation in this space. Containers have been around for years; what’s different now is the context in which they’re used, how they’re used and the open source infrastructure built around them.
“The thing that to me is so interesting about open source is that it allows us to work together in a way we didn’t have two decades ago, where the large companies are working together to improve the core technologies that we all work on,” Dirk said. “It’s really rewarding to see these teams of stout competitors sit together and have great conversations on the next version, the next release, the next feature and how to move the community forward. To me, that’s a great sign of something that we didn’t have in the past and where the open source community has kind of changed the rules on the playground.”
Container compliance is a challenging endeavor, make no mistake about it. As VMware’s Nisha Kumar writes in her comprehensive blog on the subject, “the challenge with automating OSS compliance for containers stems from the fact that containers are built in an imperative way, despite there being build scripts and Dockerfiles for individual containers and configuration management for container orchestrator.” That’s why she created Tern, which inspects a container image and finds the metadata of the packages that are installed in it. This type of vulnerability scanning is crucial to encouraging a secure open source ecosystem.
With more member of the open source community beginning to talk about it container compliance, Dirk hopes that the importance of compliant containers in open source will become a normal, more streamlined practice to help with securing containers and software infrastructure.
Watch Dirk’s full interview here and be sure to stay tuned to the Open Source Blog and follow us on Twitter (@vmwopensource) for more around microservices and containers, workloads, container image registry, container orchestration and much more.
