In DevSecOps, vulnerability scanning is a process of analyzing software to unveil security weaknesses of different levels of severity. Scanning images for vulnerabilities empower developers with awareness of the package versions in their code that could lead to a security compromise.
Why Slim scans your container images
The Slim platform implements vulnerability scanning as part of the overall process to reduce vulnerabilities and improve the security of your application code in production.
Running the scans on all the assets of your containers is an important, necessary step before the optimization phase can begin. Our software assesses risk as a precursor to effectively removing unnecessary components, minimizing file sizes, and reducing the attack surface.
In a world where reputation is the ultimate currency, shipping containers to end users’ machines that end up getting compromised due to of lack of vulnerability remediation is a great way to have your software never downloaded again (by those who are aware of your history).
Additionally, now that users have tools that allow them to see what vulnerabilities are inside of an image, even if a developer believes that there are no vulnerabilities inside of a container, a container consumer can perform their own analysis of the image and point out vulnerabilities that are still present and exploitable in the image.
Leverage Slim to scan your containers for vulnerabilities
The Slim platform has an overview section of all things Vulnerabilities for public and private container images. In order to view this, you’ll need to have:
- signed into the Slim Developer platform
- selected a container image to analyze, either from the public images available or through connecting a registry.
💡 These initial steps are documented in our Getting Started guide.
Once you’ve selected an image to analyze, the vulnerability scanning process automatically kicks off. You will be taken to the overview page, where you can take a deeper dive into the File Explorer, the container’s Dockerfile, and Packages. A breakdown of each of these sections is detailed in Container Profiles. The results of the multi-vulnerability scan live under the Vulnerabilities tab.
Slim’s algorithm compiles a downloadable report of vulnerabilities based on a combination of open source scanners and proprietary technology. Vulnerabilities are categorized and ordered by severity of risk. Summaries of how each dependency could impact the security of your container are generated in the report.
Slim scans for not only unique vulnerabilities, but the number of occurrences of the vulnerabilities in each image’s packages.
The benefits of multi-vulnerability scanning
Grype and Trivy are open source scanning tools that Slim leverages to assess risk levels of the contents of your containers. Incorporating multiple sources of truth in our container analyses increases the precision of your results.
Different scanners may produce different results, therefore a breadth of insight about the security of your containers can help to build confidence in where to focus your vulnerability remediation efforts.
Investigating a vulnerability
Let’s take a closer look at the vulnerability report that’s produced. Sometimes, we need more information about a particular vulnerability that’s been uncovered in our container:
- ecosystem source
- the level of risk it poses
- and other common vulnerabilities and exposures (CVE) details
This data is pulled in from the National Vulnerability Database.
When you click into one instance of a vulnerability, you’ll see a risk value at the top left corner. Security analysts utilize a scoring rubric to produce these results. The score metrics stem from the CVSS and is “not a measure of risk”, but rather a “qualitative measure of severity”, according to the NVD.
- The occurrence of the vulnerability across packages
- The exploitability factors
- Reference links that give more insight into the background and status of the container’s vulnerability. At times, this could be Github discussion links about the source of the problem.
If you need more information from the entity responsible for the package and more context around the vulnerability’s discussions, clicking on the listed “Open View” links will assist you with that.
Depending upon the version of the CVSS, Slim selects the score that most accurately reflects the risk level of the vulnerability.
Vulnerabilities by Package
Clicking on the Packages tab near the top of the page takes you to a summary of vulnerabilities grouped by package and level of risk. The most vulnerable packages are highlighted as part of the summary.
Once you know more about the contents of your container image through the vulnerability report features, you have a better idea of how the hardening/optimization feature can mitigate some of the risks identified.
The next step, which is the hardening process, is detailed in Container Hardening.
Once you’ve hardened your container, you’ll be able to assess the reduction in vulnerabilities. Navigate to Vulnerabilities Diffs to understand more about this feature.
History Charts - You can also view how vulnerability results are shifting over time as new reports are generated via the history chart.
Scanner Metadata - All scanners utilized to generate vulnerability report data is made available.