Scanning¶
Scanning identifies security and compliance issues by performing analysis on static artifacts. These issues can include aspects like software license compliance on third party dependencies, software component vulnerabilities, misconfigurations, and/or credentials baked into source code.
Scanning is a stand-alone capability but can also contribute to enabling the Software Composition Analysis capability.
Characteristics¶
Security¶
Scanning can be used to identify the following types of security issues:
- Vulnerabilities - identify known Common Vulnerabilities and Exposures (CVEs) in software components
- Credential - detect embedded secrets, passwords, and/or credentials in code, or secrets output to logs
- Code - identify susceptibility to attacks like SQL injection, cross-site scripting, and remote code execution
Compliance¶
Scanning can be used to identify the following types of compliance issues:
- License - identify potential compliance issues or organization policy violations surrounding third-party and open-source software components
Examples¶
Vulnerabilities¶
- The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution includes multiple examples of vulnerability scanning. The source code and base image are scanned within the build system. The final image is also scanned on a recurring basis within the artifact registry.