Home

Awesome

Project Copacetic: Directly patch container image vulnerabilities

GitHub codecov OpenSSF Scorecard

<img src="./images/copa-color.png" alt="Copa logo" width="25%" /> <br> <br>

copa is a CLI tool written in Go and based on buildkit that can be used to directly patch container images given the vulnerability scanning results from popular tools like Trivy.

For more details and how to get started, please refer to full documentation.

Demo

intro

Why?

We needed the ability to patch containers quickly without going upstream for a full rebuild. As the window between vulnerability disclosure and active exploitation continues to narrow, there is a growing operational need to patch critical security vulnerabilities in container images so they can be quickly redeployed into production. The need is especially acute when those vulnerabilities are:

direct image patching

In addition to filling the operational gap not met by left-shift security practices and tools, the ability of copa to patch a container without requiring a rebuild of the container image provides other benefits:

How?

The copa tool is an extensible engine that:

  1. Parses the needed update packages from the container image’s vulnerability report produced by a scanner like Trivy. New adapters can be written to accommodate more report formats.
  2. Obtains and processes the needed update packages using the appropriate package manager tools such as apt, apk, etc. New adapters can be written to support more package managers.
  3. Applies the resulting update binaries to the container image using buildkit.

report-driven vulnerability patching

This approach is motivated by the core principles of making direct container patching broadly applicable and accessible:

Contributing

There are several ways to get involved:

The project welcomes contributions and suggestions that abide by the CNCF Code of Conduct.