Vulnerabilities Detection Tools with Secure DevOps-Part 1

Image for post
Image for post

This article is about security scanning vulnerabilities detection tools for secure DevOps. It can be used DevOps security tools in environment to identify vulnerabilities & security flaws in the early stages of development applications.

Security testing has always been an important step in the application development process. Yet, traditional measures often occur too late in the process to effectively find and fix vulnerabilities before causing costly production delays.

Securing code in a DevOps development environment requires managing the software supply chain and checking the security of common components and frameworks, adopting a framework to automate testing and need to analyze the vulnerabilities soon.

In here two main parts to discuss, both about image scanning tools and runtime security tools. In the Part 1 , discussing about image scanning tools. There are many image scanning tools which helps to detect image vulnerabilities. Some of them are, Trivy, Clair, Cilium, Dagda, Anchore Engine, Docker Bench, Open SCAP, Notary, Aquasec & Blackduck.

1. Trivy

Image for post
Image for post
  • vulnerabilities detection accuracy high (11101) than clair. ​
  • Trivy has client/server mode
  • collect all vulnerability information in alpine linux, saved on vuln-list​
  • Easily scan images using image name and version and give us a standard output.​
  • stand-alone tool and can scan very fast. This means it’s very easy to use in CI/CD​
  • Opensource scanner for container images​ ,can be run inside the container to scan its’ own image​

2. Clair

Image for post
Image for post
  • Vulnerabilities detection accuracy low (6959) than trivy. ​
  • Clair uses database alpine-secdb, is not a complete database of all security issues ​
  • Analyses the image after applying all layers.
  • Scanning slow ,difficult to use in CI/CD.

3. Cilium

Image for post
Image for post
  • Cilium brings API-aware network security filtering to Linux container frameworks like Docker & Kubernetes​
  • Designed for Scale- no node-to-node interactions required​
  • Identity Based Security-Cilium visibility and security policies are based on the container orchestrator identity

4.Dagda

Image for post
Image for post
  • Dagda is a tool to perform static analyses of known vulnerabilities in Docker images and containers. ​
  • Dagda retrieves information about the software installed into your Docker images, such as the OS packages and the dependencies of the programming languages, and verifies for each product and its version

5. Anchore Engine

Image for post
Image for post
  • The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, applies user-defined acceptance policies to allow automated validation and certification of container images

These are the main image scanning tools which can helps to identify vulnerabilities in DevOps . Run time security tools are discussed in Part 2 of next article.

3rd Year Undergraduate, University of Moratuwa.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store