View profile

Dependency Scanning for Common Vulnerabilities

Bret Fisher
Bret Fisher
This week’s newsletter is going to cover another security topic, dependency scanning. It is not a Docker-specific best practice, but one of general recommendation. By scanning your images at various stages of the continuous integration/deployment cycle, we can do our best to limit our exposure to CVEs that have already been found and reported.

What Is A Dependency Scan?
Following down my list of Docker security concerns, dependency scans can be integrated at various parts of your development. A dependency scan is a run through of your code to see if your dependencies have any documented vulnerabilities. These scans are best to be done in the early stages of development, so that way if a vulnerability is exposed, you wont have to undo your entire CI/CD pipelines to adjust for it. There are three stages to scanning that can alert you of these vulnerabilities; in your code repo, during image build, and after image build. The idea behind running these scans early in development is known as “shift left security”. It can save time, money and peace of mind.
4 Practical Steps for 'Shift Left' Security
Scanning Stages
For your code repo to be scanned, a tool like Snyk can be used. Snyk connects to many repository hosting services like GitHub and Gitlab, and it will display issues according to their severity level. It compares your dependencies with their Vulnerability Database. At image build, you can use Aquasecurity’s Microscanner to check your container images for vulnerabilities, and fail the builds if a severe issue is found. It can be added as only a few additional lines in your Dockerfile, and can easily be integrated as a CI/CD pipeline step. Trivy is another tool by Aquasecurity, and is best used for post-build scans. This scan occurs outside of Docker and boasts that they have the most complete scanner.
Snyk Container Security - Container Journal
Snyk Vulnerability Database
Code Repo and Image Scanning (starts at 42:46)
Thanks for reading,
Weekly YouTube Live:
Course Coupons:
Did you enjoy this issue? Yes No
Bret Fisher
Bret Fisher @bretfisher

Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
Bret Fisher, Virginia Beach, Virginia, USA