Scanning for vulnerabilities is often the first action both software developers and their consumers take with a new container image. With software buyers around the world beginning to push for vulnerability-free software, reputation has become the ultimate currency for vendors. Poor results on a customer’s vulnerability scan can lead to delays and a tougher POC for vendors.
In this guide, we discuss some of the most common developer questions around scanning containers for vulnerabilities, and popular vulnerability scanners on the market today.
Vulnerability scanning is a process of analyzing software to unveil security weaknesses of varying levels of severity in container images. This practice allows developers and security teams to know which package versions in their code could lead to a security compromise. In response to reviewing scanner results, teams can determine which vulnerabilities to address, often in the form of upgrading or removing packages in order to improve the security of their containers in production.
Vulnerability scanners reference a database to find known flaws, coding bugs, package construction anomalies, default configurations, and potential paths to sensitive data that can be exploited by attackers. The lists of publicly disclosed security flaws are known as CVEs, an acronym for “Common Vulnerabilities and Exposures”.
It’s common for one vulnerability scanner to find CVEs that another has missed. That’s why Slim.AI aggregates results from two best-in-class open source scanners, Grype and Trivy, to produce a complete list of container vulnerabilities by scanner and risk level. Incorporating multiple sources of truth in our container analyses increases the precision of your results.
Vulnerability scanning with Trivy and Grype are available within the Slim.AI platform, and complement the container hardening by first scanning your containers to understand what vulnerabilities exist, their level of frequency and severity, and where they are in your container layers. Once the detailed vulnerability reports are generated and you gain deeper insight into your container’s current security posture, the platform can then automatically harden your containers to then assess how many vulnerabilities were removed. The end result of this automated process typically consists of a much smaller, faster and more secure container that will be better suited for shipping to production.
Slim.AI selected both Trivy and Grype to provide vulnerability scanning, as very popular and well-maintained open source tools leveraged by the container ecosystem, and in order to provide a richer data set to compare vulnerabilities and findings against, to ensure accuracy of the scanning results. Both Trivy and Grype, as a result of being widely deployed, have higher accuracy rates and better quality of data sources powering them.
On the platform, you can take a closer look at the differences between the scanner results when viewing the vulnerability reports generated from a container image. In the vulnerability overview of the latest version of the public container Node, there are slight differences in both the number of vulnerabilities and the risk level per vulnerability, exemplified below:
Peering into a single CVE, there is a summary of its origin and where the CVE occurs in the packages associated with the Node container. Both Trivy and Grype produced different risk scores and they were derived from multiple sources.
You can learn more about the full in-depth scope of the vulnerability scanning features we have, in addition to how to leverage them by reading our documentation on Vulnerability Scanning.
While most scanners may function in similar ways–by scanning package managers and comparing them against known vulnerability databases–this method still has some known gaps. The Slim.AI team is hard at work behind the scenes to integrate robust container security into developer workflows, by building these additional scanning capabilities. By increasing visibility into what’s actually happening inside your container and even those running in production, you can validate them against known data sources to add greater security coverage.
Once development teams have deeper context about the contents of their containers before hardening, the natural progression is to do the work to remove the existing threats and packages that put your organization and systems at risk. By hardening containers, you can minimize your attack surface, and reduce operational complexity, while improving your overall performance. We take care of vulnerability remediation and container size reduction automatically to gear up your systems to ship more secure, lightweight containers.
If you plan to manually fix container vulnerabilities (which we don’t recommend!), you should prioritize based on risk level to remove Critical, High, Medium and Low CVEs in that order. However, a much more efficient solution is to harden your containers using the Slim Developer Portal, which will automatically remove most, if not all, vulnerabilities as part of the slimming and hardening process.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
