Dependency Scanning for Common Vulnerabilities

This week’s newsletter is going to cover another security topic, dependency scanning. It is not a Docker-specific best practice, but one of general recommendation. By scanning your images at various stages of the continuous integration/deployment cycle, we can do our best to limit our exposure to CVEs that have already been found and reported.

Following down my list of Docker security concerns, dependency scans can be integrated at various parts of your development. A dependency scan is a run through of your code to see if your dependencies have any documented vulnerabilities. These scans are best to be done in the early stages of development, so that way if a vulnerability is exposed, you wont have to undo your entire CI/CD pipelines to adjust for it. There are three stages to scanning that can alert you of these vulnerabilities; in your code repo, during image build, and after image build. The idea behind running these scans early in development is known as “shift left security”. It can save time, money and peace of mind.

For your code repo to be scanned, a tool like Snyk can be used. Snyk connects to many repository hosting services like GitHub and Gitlab, and it will display issues according to their severity level. It compares your dependencies with their Vulnerability Database. At image build, you can use Aquasecurity’s Microscanner to check your container images for vulnerabilities, and fail the builds if a severe issue is found. It can be added as only a few additional lines in your Dockerfile, and can easily be integrated as a CI/CD pipeline step. Trivy is another tool by Aquasecurity, and is best used for post-build scans. This scan occurs outside of Docker and boasts that they have the most complete scanner.

Thanks for reading,

–Bret

Weekly YouTube Live: bretfisher.com/youtube

Course Coupons: bretfisher.com/courses

Podcast: bretfisher.com/podcast

Twitter: twitter.com/bretfisher