Scanning¶

Scanning identifies security and compliance issues by performing analysis on static artifacts. These issues can include aspects like software license compliance on third party dependencies, software component vulnerabilities, misconfigurations, and/or credentials baked into source code.

Scanning is a stand-alone capability but can also contribute to enabling the Software Composition Analysis capability.

Characteristics¶

Security¶

Scanning can be used to identify the following types of security issues:

• Vulnerabilities - identify known Common Vulnerabilities and Exposures (CVEs) in software components
• Credential - detect embedded secrets, passwords, and/or credentials in code, or secrets output to logs
• Code - identify susceptibility to attacks like SQL injection, cross-site scripting, and remote code execution

Compliance¶

Scanning can be used to identify the following types of compliance issues:

• License - identify potential compliance issues or organization policy violations surrounding third-party and open-source software components

Examples¶

Vulnerabilities¶

• The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution includes multiple examples of vulnerability scanning. The source code and base image are scanned within the build system. The final image is also scanned on a recurring basis within the artifact registry.

Learn More¶

• GitHub - Code Scanning
• GitHub - Secret Scanning
• OWASP - Vulnerability Scanning Tools