View profile

Dependency Scanning for Common Vulnerabilities


Vital DevOps: Improving Your Container DevOps Skills

December 16 · Issue #24 · View online

Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.

This week’s newsletter is going to cover another security topic, dependency scanning. It is not a Docker-specific best practice, but one of general recommendation. By scanning your images at various stages of the continuous integration/deployment cycle, we can do our best to limit our exposure to CVEs that have already been found and reported.

What Is A Dependency Scan?
Following down my list of Docker security concerns, dependency scans can be integrated at various parts of your development. A dependency scan is a run through of your code to see if your dependencies have any documented vulnerabilities. These scans are best to be done in the early stages of development, so that way if a vulnerability is exposed, you wont have to undo your entire CI/CD pipelines to adjust for it. There are three stages to scanning that can alert you of these vulnerabilities; in your code repo, during image build, and after image build. The idea behind running these scans early in development is known as “shift left security”. It can save time, money and peace of mind.
What security concerns should I have with Docker?
4 Practical Steps for 'Shift Left' Security
Scanning Stages
For your code repo to be scanned, a tool like Snyk can be used. Snyk connects to many repository hosting services like GitHub and Gitlab, and it will display issues according to their severity level. It compares your dependencies with their Vulnerability Database. At image build, you can use Aquasecurity’s Microscanner to check your container images for vulnerabilities, and fail the builds if a severe issue is found. It can be added as only a few additional lines in your Dockerfile, and can easily be integrated as a CI/CD pipeline step. Trivy is another tool by Aquasecurity, and is best used for post-build scans. This scan occurs outside of Docker and boasts that they have the most complete scanner.
Snyk Container Security - Container Journal
Snyk Vulnerability Database
Code Repo and Image Scanning (starts at 42:46)
Thanks for reading,
Weekly YouTube Live:
Course Coupons:
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA