Review Container Security findings
After you complete a Veracode Container Security scan, your results appear in your command window. If you include the -o flag, the results appear in a new file. Scan results include the following categories of findings:
- Known vulnerabilities: vulnerabilities known in the Grype database.
- Configuration issues in infrastructure as code (IaC) files: misconfigurations in IaC files, such as Dockerfiles, Kubernetes manifests, and Terraform files.
- Exposed secrets: insecurely storing, using, and managing secrets, including credentials and cryptographic keys.
- Docker CIS Benchmark violations: violations of the guidelines defined in the CIS Docker Benchmarks.
- Insecure file permissions: insecure permissions using
setuidandsetgid.
Using the --format flag, you can specify the output format of the scan results, such as JSON, CycloneDX, or a table. For more details about the supported output formats.
Policy evaluations
Veracode Container Security performs a basic policy evaluation against the findings. If the scan identifies any of the following findings, it returns "policy-passed": false.
- Known vulnerabilities, configuration issues in infrastructure as code (IaC) files, or exposed secrets with a very high or high severity.
- Any Docker CIS Benchmark violation.
- Any insecure file permissions.
If none of those findings are present, the scan returns "policy-passed": true.
Vulnerability data sources
Veracode Container Security uses several data sources when reporting vulnerability findings, including:
- Alpine Linux SecDB
- Amazon Linux ALAS
- Debian Linux Bug Tracker
- Github GHSAs
- National Vulnerability Database (NVD)
- Oracle Linux OVAL
- Red Hat Linux Security Data
- RedHat RHSAs: Security Data
- SUSE Linux OVAL
- Ubuntu Linux Security
In some cases, the severity Veracode reports for a CVE differs from the severity from the NVD. When a more specific source, such as a base image vulnerability database, provides a severity for a CVE, that more specific source takes precedence.
The vulnerability and policy databases are updated every 24 hours.
Example JSON findings
This sample output is the result of a scan request in readable JSON format:
./veracode scan --source alpine:latest --type image -f json
{
"vulnerabilities": {
"descriptor": {
"configuration": "",
"db": {
"built": "2023-01-23T08:17:51Z",
"checksum": "sha256:45441cfa64a877caea9c231a17c508f7d43cae415dce7103f2ba236a35e466f7",
"error": null,
"location": "5",
"schemaVersion": 5
},
"name": "grype",
"version": "[not provided]"
},
"distro": {
"idLike": [],
"name": "alpine",
"version": "3.17.0"
},
"matches": [
{
"artifact": {
"cpes": [
"cpe:2.3:a:libcrypto3:libcrypto3:3.0.7-r0:*:*:*:*:*:*:*"
],
"language": "",
"licenses": [
"Apache-2.0"
],
"locations": [
{
"layerID": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"path": "/lib/apk/db/installed"
}
],
"name": "libcrypto3",
"purl": "pkg:alpine/[email protected]?arch=aarch64\u0026upstream=openssl\u0026distro=alpine-3.17.0",
"type": "apk",
"upstreams": [
{
"name": "openssl"
}
],
"version": "3.0.7-r0"
},
"matchDetails": [
{
"found": {
"versionConstraint": "\u003c 3.0.7-r2 (apk)"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.17.0"
},
"namespace": "alpine:distro:alpine:3.17",
"package": {
"name": "openssl",
"version": "3.0.7-r0"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendorMetadata": {},
"version": "3.1"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996",
"description": "If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.",
"id": "CVE-2022-3996",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7",
"https://www.openssl.org/news/secadv/20221213.txt"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [],
"dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996",
"fix": {
"state": "fixed",
"versions": [
"3.0.7-r2"
]
},
"id": "CVE-2022-3996",
"namespace": "alpine:distro:alpine:3.17",
"severity": "High",
"urls": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"
]
}
},
{
"artifact": {
"cpes": [
"cpe:2.3:a:libssl3:libssl3:3.0.7-r0:*:*:*:*:*:*:*"
],
"language": "",
"licenses": [
"Apache-2.0"
],
"locations": [
{
"layerID": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"path": "/lib/apk/db/installed"
}
],
"name": "libssl3",
"purl": "pkg:alpine/[email protected]?arch=aarch64\u0026upstream=openssl\u0026distro=alpine-3.17.0",
"type": "apk",
"upstreams": [
{
"name": "openssl"
}
],
"version": "3.0.7-r0"
},
"matchDetails": [
{
"found": {
"versionConstraint": "\u003c 3.0.7-r2 (apk)"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.17.0"
},
"namespace": "alpine:distro:alpine:3.17",
"package": {
"name": "openssl",
"version": "3.0.7-r0"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendorMetadata": {},
"version": "3.1"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996",
"description": "If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.",
"id": "CVE-2022-3996",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7",
"https://www.openssl.org/news/secadv/20221213.txt"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [],
"dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996",
"fix": {
"state": "fixed",
"versions": [
"3.0.7-r2"
]
},
"id": "CVE-2022-3996",
"namespace": "alpine:distro:alpine:3.17",
"severity": "High",
"urls": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"
]
}
}
],
"source": {
"target": {
"architecture": "arm64",
"config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiQ21kIjpbIi9iaW4vc2giXSwiSW1hZ2UiOiJzaGEyNTY6OWI1NGRkZTNiM2Q5ZWFhOGMwNzFlZThlN2NkYTk5OGUwZmRiZWIzNmY3NjhhNmY4NWExYTEyMTlkZjUxYzI0ZiIsIlZvbHVtZXMiOm51bGwsIldvcmtpbmdEaXIiOiIiLCJFbnRyeXBvaW50IjpudWxsLCJPbkJ1aWxkIjpudWxsLCJMYWJlbHMiOm51bGx9LCJjb250YWluZXIiOiIyMTIyNTZhODRiMDEyNzhlYTQ3Y2QzY2QyZjRhMjA0OTA0ZDZkOTk4MjU2NTlmZDBjNDIxMGI3MWUzY2I1NWYxIiwiY29udGFpbmVyX2NvbmZpZyI6eyJIb3N0bmFtZSI6IjIxMjI1NmE4NGIwMSIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiQ21kIjpbIi9iaW4vc2giLCItYyIsIiMobm9wKSAiLCJDTUQgW1wiL2Jpbi9zaFwiXSJdLCJJbWFnZSI6InNoYTI1Njo5YjU0ZGRlM2IzZDllYWE4YzA3MWVlOGU3Y2RhOTk4ZTBmZGJlYjM2Zjc2OGE2Zjg1YTFhMTIxOWRmNTFjMjRmIiwiVm9sdW1lcyI6bnVsbCwiV29ya2luZ0RpciI6IiIsIkVudHJ5cG9pbnQiOm51bGwsIk9uQnVpbGQiOm51bGwsIkxhYmVscyI6e319LCJjcmVhdGVkIjoiMjAyMi0xMS0yMlQyMjozOToyMS4xNzY0OTA5MDVaIiwiZG9ja2VyX3ZlcnNpb24iOiIyMC4xMC4xNyIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIyLTExLTIyVDIyOjM5OjIxLjAzMzk3MDQxM1oiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgQUREIGZpbGU6Njg1YjVlZGFkZjFkNWJmMGFlYjJhZWMzNWY4MTBkODM4NzZlNmQyZWEwOTAzYjIxM2Y3NWE5YzVmMGRjNTkwMSBpbiAvICJ9LHsiY3JlYXRlZCI6IjIwMjItMTEtMjJUMjI6Mzk6MjEuMTc2NDkwOTA1WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgQ01EIFtcIi9iaW4vc2hcIl0iLCJlbXB0eV9sYXllciI6dHJ1ZX1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6MWI1NzdhOGZiOGNlMjUwMjNhMGVjMGExN2E2ZGMzZDZhYTljY2E5ODlmNzU0NTc4MDBjYjU1MTc5ZWUyZTgzNCJdfSwidmFyaWFudCI6InY4In0=",
"imageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"imageSize": 7454073,
"layers": [
{
"digest": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 7454073
}
],
"manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjoxNDg3LCJkaWdlc3QiOiJzaGEyNTY6ZDMxNTZmZWM4YmNiYzdiNDkxYTRlZGMyNzFhNzczNGRjZmExODZmYzczMjgyZDRlMTIwZWVhYWYyY2U5NWM0MyJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo3NzQ1NTM2LCJkaWdlc3QiOiJzaGEyNTY6MWI1NzdhOGZiOGNlMjUwMjNhMGVjMGExN2E2ZGMzZDZhYTljY2E5ODlmNzU0NTc4MDBjYjU1MTc5ZWUyZTgzNCJ9XX0=",
"manifestDigest": "sha256:fcf2aaf52719a175f453a6a3f18a3859b8a68150cd5e33d37a3e1fb7205b9c7d",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"os": "linux",
"repoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"tags": [
"alpine:latest"
],
"userInput": "alpine:latest"
},
"type": "image"
}
},
"secrets": {
"ArtifactName": "alpine:latest",
"ArtifactType": "container_image",
"Metadata": {
"DiffIDs": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"ImageConfig": {
"architecture": "arm64",
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:9b54dde3b3d9eaa8c071ee8e7cda998e0fdbeb36f768a6f85a1a1219df51c24f"
},
"container": "212256a84b01278ea47cd3cd2f4a204904d6d99825659fd0c4210b71e3cb55f1",
"created": "2022-11-22T22:39:21.176490905Z",
"docker_version": "20.10.17",
"history": [
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) ADD file:685b5edadf1d5bf0aeb2aec35f810d83876e6d2ea0903b213f75a9c5f0dc5901 in / "
},
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"diff_ids": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"type": "layers"
}
},
"ImageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"OS": {
"Family": "alpine",
"Name": "3.17.0"
},
"RepoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"RepoTags": [
"alpine:latest"
]
},
"SchemaVersion": 2
},
"configs": {
"ArtifactName": "alpine:latest",
"ArtifactType": "container_image",
"Metadata": {
"DiffIDs": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"ImageConfig": {
"architecture": "arm64",
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:9b54dde3b3d9eaa8c071ee8e7cda998e0fdbeb36f768a6f85a1a1219df51c24f"
},
"container": "212256a84b01278ea47cd3cd2f4a204904d6d99825659fd0c4210b71e3cb55f1",
"created": "2022-11-22T22:39:21.176490905Z",
"docker_version": "20.10.17",
"history": [
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) ADD file:685b5edadf1d5bf0aeb2aec35f810d83876e6d2ea0903b213f75a9c5f0dc5901 in / "
},
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"diff_ids": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"type": "layers"
}
},
"ImageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"OS": {
"Family": "alpine",
"Name": "3.17.0"
},
"RepoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"RepoTags": [
"alpine:latest"
]
},
"SchemaVersion": 2
},
"policy-results": [
{
"filename": "root",
"namespace": "main",
"successes": 5,
"failures": [
{
"msg": "vulnerability.rego failed - Found High software vulnerability: CVE-2022-3996"
},
{
"msg": "docker.rego failed - 4.1 Ensure a user for the container has been created (Scored) level 1"
},
{
"msg": "docker.rego failed - 4.6 Ensure HEALTHCHECK instructions have been added to the container image (Scored) level 1"
},
{
"msg": "docker.rego failed - 4.9 Ensure COPY is used instead of ADD in Dockerfile (Not Scored) level 1"
}
]
}
],
"policy-passed": false
}
Example table findings
Scans with the table format flag display results in four sections: Vulnerabilities, Misconfigurations, Secrets, and Policy Results. Each section provides details, such as the type and severity, of each finding.
./veracode scan --source https://github.com/bridgecrewio/terragoat --type repo -f table
Vulnerabilities
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
@actions/core 1.6.0 1.9.1 npm GHSA-7r3h-m5j6-3q42 Medium
@xmldom/xmldom 0.7.5 0.7.7 npm GHSA-crh6-fp67-6883 Critical
async 2.6.3 2.6.4 npm GHSA-fwr7-v2mv-hh25 High
commons-compress 1.15 1.19 java-archive GHSA-53x6-4x5p-rrvv High
commons-compress 1.20 1.21 java-archive GHSA-7hfm-57qf-j43q High
...
Misconfigurations
TITLE PROVIDER ID SEVERITY
aws_instance should activate session tokens for Instance Metadata Service. AWS AVD-AWS-0028 HIGH
IAM policy should avoid use of wildcards and instead apply the principle of AWS AVD-AWS-0057 HIGH
least privilege
RDS Cluster and RDS instance should have backup retention longer than default 1 AWS AVD-AWS-0077 MEDIUM
day
RDS encryption has not been enabled at a DB Instance level. AWS AVD-AWS-0080 HIGH
A database resource is marked as publicly accessible. AWS AVD-AWS-0082 CRITICAL
...
Secrets
FILE SECRET TYPE SEVERITY
terraform/aws/ec2.tf AWS Access Key ID CRITICAL
terraform/aws/ec2.tf AWS Secret Access Key CRITICAL
terraform/aws/lambda.tf AWS Access Key ID CRITICAL
terraform/aws/lambda.tf AWS Secret Access Key CRITICAL
terraform/aws/providers.tf AWS Access Key ID CRITICAL
terraform/aws/providers.tf AWS Secret Access Key CRITICAL
...
Policy Results
TYPE MESSAGE
Config Found CRITICAL issues in infrastructure as code: terraform/aws/db-app.tf: A
database resource is marked as publicly accessible.
Config Found CRITICAL issues in infrastructure as code: terraform/aws/db-app.tf: An
egress security group rule allows traffic to /0.
Secret Found CRITICAL secret: terraform/aws/ec2.tf: AWS Access Key ID
Secret Found CRITICAL secret: terraform/aws/ec2.tf: AWS Secret Access Key
Vulnerability Found Critical software vulnerability: GHSA-4w2j-2rg4-5mjw
Vulnerability Found Critical software vulnerability: GHSA-6pw2-5hjv-9pf7
...
Policy Passed = false