This article is about security scanning vulnerabilities detection tools for secure DevOps. It can be used DevOps security tools in environment to identify vulnerabilities & security flaws in the early stages of development applications.
Security testing has always been an important step in the application development process. Yet, traditional measures often occur too late in the process to effectively find and fix vulnerabilities before causing costly production delays.
Securing code in a DevOps development environment requires managing the software supply chain and checking the security of common components and frameworks, adopting a framework to automate testing and need to analyze the vulnerabilities soon.
In here two main parts to discuss, both about image scanning tools and runtime security tools. In the Part 1 , discussing about image scanning tools. There are many image scanning tools which helps to detect image vulnerabilities. Some of them are, Trivy, Clair, Cilium, Dagda, Anchore Engine, Docker Bench, Open SCAP, Notary, Aquasec & Blackduck.
- vulnerabilities detection accuracy high (11101) than clair.
- Trivy has client/server mode
- collect all vulnerability information in alpine linux, saved on vuln-list
- Easily scan images using image name and version and give us a standard output.
- stand-alone tool and can scan very fast. This means it’s very easy to use in CI/CD
- Opensource scanner for container images ,can be run inside the container to scan its’ own image
- Vulnerabilities detection accuracy low (6959) than trivy.
- Clair uses database alpine-secdb, is not a complete database of all security issues
- Analyses the image after applying all layers.
- Scanning slow ,difficult to use in CI/CD.
- Cilium brings API-aware network security filtering to Linux container frameworks like Docker & Kubernetes
- Designed for Scale- no node-to-node interactions required
- Identity Based Security-Cilium visibility and security policies are based on the container orchestrator identity
- Dagda is a tool to perform static analyses of known vulnerabilities in Docker images and containers.
- Dagda retrieves information about the software installed into your Docker images, such as the OS packages and the dependencies of the programming languages, and verifies for each product and its version
5. Anchore Engine
- The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, applies user-defined acceptance policies to allow automated validation and certification of container images
These are the main image scanning tools which can helps to identify vulnerabilities in DevOps . Run time security tools are discussed in Part 2 of next article.