Scanning for vulnerabilities is often the first action both software developers and their consumers take with a new container image. With software buyers around the world beginning to push for vulnerability-free software, reputation has become the ultimate currency for vendors. Poor results on a customer’s vulnerability scan can lead to delays and a tougher POC for vendors.
In this guide, we discuss some of the most common developer questions around scanning containers for vulnerabilities, and popular vulnerability scanners on the market today.
Vulnerability scanning is a process of analyzing software to unveil security weaknesses of varying levels of severity in container images. This practice allows developers and security teams to know which package versions in their code could lead to a security compromise. In response to reviewing scanner results, teams can determine which vulnerabilities to address, often in the form of upgrading or removing packages in order to improve the security of their containers in production.
Vulnerability scanners reference a database to find known flaws, coding bugs, package construction anomalies, default configurations, and potential paths to sensitive data that can be exploited by attackers. The lists of publicly disclosed security flaws are known as CVEs, an acronym for “Common Vulnerabilities and Exposures”.
It’s common for one vulnerability scanner to find CVEs that another has missed. That’s why Slim.AI aggregates results from two best-in-class open source scanners, Grype and Trivy, to produce a complete list of container vulnerabilities by scanner and risk level. Incorporating multiple sources of truth in our container analyses increases the precision of your results.
Vulnerability scanning with Trivy and Grype are available within the Slim.AI platform, and complement the container hardening by first scanning your containers to understand what vulnerabilities exist, their level of frequency and severity, and where they are in your container layers. Once the detailed vulnerability reports are generated and you gain deeper insight into your container’s current security posture, the platform can then automatically harden your containers to then assess how many vulnerabilities were removed. The end result of this automated process typically consists of a much smaller, faster and more secure container that will be better suited for shipping to production.
Slim.AI selected both Trivy and Grype to provide vulnerability scanning, as very popular and well-maintained open source tools leveraged by the container ecosystem, and in order to provide a richer data set to compare vulnerabilities and findings against, to ensure accuracy of the scanning results. Both Trivy and Grype, as a result of being widely deployed, have higher accuracy rates and better quality of data sources powering them.
On the platform, you can take a closer look at the differences between the scanner results when viewing the vulnerability reports generated from a container image. In the vulnerability overview of the latest version of the public container Node, there are slight differences in both the number of vulnerabilities and the risk level per vulnerability, exemplified below:
Peering into a single CVE, there is a summary of its origin and where the CVE occurs in the packages associated with the Node container. Both Trivy and Grype produced different risk scores and they were derived from multiple sources.
You can learn more about the full in-depth scope of the vulnerability scanning features we have, in addition to how to leverage them by reading our documentation on Vulnerability Scanning.
While most scanners may function in similar ways–by scanning package managers and comparing them against known vulnerability databases–this method still has some known gaps. The Slim.AI team is hard at work behind the scenes to integrate robust container security into developer workflows, by building these additional scanning capabilities. By increasing visibility into what’s actually happening inside your container and even those running in production, you can validate them against known data sources to add greater security coverage.
Once development teams have deeper context about the contents of their containers before hardening, the natural progression is to do the work to remove the existing threats and packages that put your organization and systems at risk. By hardening containers, you can minimize your attack surface, and reduce operational complexity, while improving your overall performance. We take care of vulnerability remediation and container size reduction automatically to gear up your systems to ship more secure, lightweight containers.
If you plan to manually fix container vulnerabilities (which we don’t recommend!), you should prioritize based on risk level to remove Critical, High, Medium and Low CVEs in that order. However, a much more efficient solution is to harden your containers using the Slim Developer Portal, which will automatically remove most, if not all, vulnerabilities as part of the slimming and hardening process.