Review Container and IaC Scan findings
After you complete a Veracode Container Security scan, your results appear in your command window. If you include the -o
flag, the results appear in a new file. Scan results include the following categories of findings:
- Known vulnerabilities: vulnerabilities known in the Grype database.
- Configuration issues in infrastructure as code (IaC) files: misconfigurations in IaC files, such as Dockerfiles, Kubernetes manifests, and Terraform files.
- Exposed secrets: insecurely storing, using, and managing secrets, including credentials and cryptographic keys.
- Docker CIS Benchmark violations: violations of the guidelines defined in the CIS Docker Benchmarks.
- Insecure file permissions: insecure permissions using
setuid
andsetgid
.
To specify the output format of the scan results, such as JSON, CycloneDX, or a table, include the --format
flag.
Policy evaluations
Veracode Container Security performs a basic policy evaluation against the findings. If the scan identifies any of the following findings, it returns "policy-passed": false
.
- Known vulnerabilities, configuration issues in infrastructure as code (IaC) files, or exposed secrets with a very high or high severity.
- Any Docker CIS Benchmark violation.
- Any insecure file permissions.
If none of those findings are present, the scan returns "policy-passed": true
.
Container and IaC Security findings on Veracode Platform
You can access the results of container and IaC scans, performed from the CLI, on the Veracode Platform. The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low.
Additional features include:
- Search and filter
- Scan history for each asset to help you track changes in findings reported
- Mitigation guidance for each finding
The Container and IaC Analysis documentation page provides detailed information on using the Veracode Platform to analyse container and IaC scan results.
Users with Container and IaC analysis permissions can perform scan and review actions.
Vulnerability data sources
Veracode Container Security uses several data sources when reporting vulnerability findings, including:
- Alpine Linux SecDB
- Amazon Linux ALAS
- Debian Linux Bug Tracker
- Github GHSAs
- National Vulnerability Database (NVD)
- Oracle Linux OVAL
- Red Hat Linux Security Data
- RedHat RHSAs: Security Data
- SUSE Linux OVAL
- Ubuntu Linux Security
In some cases, the severity Veracode reports for a CVE differs from the severity from the NVD. When a more specific source, such as a base image vulnerability database, provides a severity for a CVE, that more specific source takes precedence.
The vulnerability and policy databases are updated every 24 hours.
Example JSON findings
This sample output is the result of a scan request in readable JSON format:
./veracode scan --source alpine:latest --type image -f json
{
"vulnerabilities": {
"descriptor": {
"configuration": "",
"db": {
"built": "2023-01-23T08:17:51Z",
"checksum": "sha256:45441cfa64a877caea9c231a17c508f7d43cae415dce7103f2ba236a35e466f7",
"error": null,
"location": "5",
"schemaVersion": 5
},
"name": "grype",
"version": "[not provided]"
},
"distro": {
"idLike": [],
"name": "alpine",
"version": "3.17.0"
},
"matches": [
{
"artifact": {
"cpes": [
"cpe:2.3:a:libcrypto3:libcrypto3:3.0.7-r0:*:*:*:*:*:*:*"
],
"language": "",
"licenses": [
"Apache-2.0"
],
"locations": [
{
"layerID": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"path": "/lib/apk/db/installed"
}
],
"name": "libcrypto3",
"purl": "pkg:alpine/[email protected]?arch=aarch64\u0026upstream=openssl\u0026distro=alpine-3.17.0",
"type": "apk",
"upstreams": [
{
"name": "openssl"
}
],
"version": "3.0.7-r0"
},
"matchDetails": [
{
"found": {
"versionConstraint": "\u003c 3.0.7-r2 (apk)"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.17.0"
},
"namespace": "alpine:distro:alpine:3.17",
"package": {
"name": "openssl",
"version": "3.0.7-r0"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendorMetadata": {},
"version": "3.1"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996",
"description": "If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.",
"id": "CVE-2022-3996",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7",
"https://www.openssl.org/news/secadv/20221213.txt"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [],
"dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996",
"fix": {
"state": "fixed",
"versions": [
"3.0.7-r2"
]
},
"id": "CVE-2022-3996",
"namespace": "alpine:distro:alpine:3.17",
"severity": "High",
"urls": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"
]
}
},
{
"artifact": {
"cpes": [
"cpe:2.3:a:libssl3:libssl3:3.0.7-r0:*:*:*:*:*:*:*"
],
"language": "",
"licenses": [
"Apache-2.0"
],
"locations": [
{
"layerID": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"path": "/lib/apk/db/installed"
}
],
"name": "libssl3",
"purl": "pkg:alpine/[email protected]?arch=aarch64\u0026upstream=openssl\u0026distro=alpine-3.17.0",
"type": "apk",
"upstreams": [
{
"name": "openssl"
}
],
"version": "3.0.7-r0"
},
"matchDetails": [
{
"found": {
"versionConstraint": "\u003c 3.0.7-r2 (apk)"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.17.0"
},
"namespace": "alpine:distro:alpine:3.17",
"package": {
"name": "openssl",
"version": "3.0.7-r0"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendorMetadata": {},
"version": "3.1"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996",
"description": "If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.",
"id": "CVE-2022-3996",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7",
"https://www.openssl.org/news/secadv/20221213.txt"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [],
"dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996",
"fix": {
"state": "fixed",
"versions": [
"3.0.7-r2"
]
},
"id": "CVE-2022-3996",
"namespace": "alpine:distro:alpine:3.17",
"severity": "High",
"urls": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"
]
}
}
],
"source": {
"target": {
"architecture": "arm64",
"config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiQ21kIjpbIi9iaW4vc2giXSwiSW1hZ2UiOiJzaGEyNTY6OWI1NGRkZTNiM2Q5ZWFhOGMwNzFlZThlN2NkYTk5OGUwZmRiZWIzNmY3NjhhNmY4NWExYTEyMTlkZjUxYzI0ZiIsIlZvbHVtZXMiOm51bGwsIldvcmtpbmdEaXIiOiIiLCJFbnRyeXBvaW50IjpudWxsLCJPbkJ1aWxkIjpudWxsLCJMYWJlbHMiOm51bGx9LCJjb250YWluZXIiOiIyMTIyNTZhODRiMDEyNzhlYTQ3Y2QzY2QyZjRhMjA0OTA0ZDZkOTk4MjU2NTlmZDBjNDIxMGI3MWUzY2I1NWYxIiwiY29udGFpbmVyX2NvbmZpZyI6eyJIb3N0bmFtZSI6IjIxMjI1NmE4NGIwMSIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiQ21kIjpbIi9iaW4vc2giLCItYyIsIiMobm9wKSAiLCJDTUQgW1wiL2Jpbi9zaFwiXSJdLCJJbWFnZSI6InNoYTI1Njo5YjU0ZGRlM2IzZDllYWE4YzA3MWVlOGU3Y2RhOTk4ZTBmZGJlYjM2Zjc2OGE2Zjg1YTFhMTIxOWRmNTFjMjRmIiwiVm9sdW1lcyI6bnVsbCwiV29ya2luZ0RpciI6IiIsIkVudHJ5cG9pbnQiOm51bGwsIk9uQnVpbGQiOm51bGwsIkxhYmVscyI6e319LCJjcmVhdGVkIjoiMjAyMi0xMS0yMlQyMjozOToyMS4xNzY0OTA5MDVaIiwiZG9ja2VyX3ZlcnNpb24iOiIyMC4xMC4xNyIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIyLTExLTIyVDIyOjM5OjIxLjAzMzk3MDQxM1oiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgQUREIGZpbGU6Njg1YjVlZGFkZjFkNWJmMGFlYjJhZWMzNWY4MTBkODM4NzZlNmQyZWEwOTAzYjIxM2Y3NWE5YzVmMGRjNTkwMSBpbiAvICJ9LHsiY3JlYXRlZCI6IjIwMjItMTEtMjJUMjI6Mzk6MjEuMTc2NDkwOTA1WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgQ01EIFtcIi9iaW4vc2hcIl0iLCJlbXB0eV9sYXllciI6dHJ1ZX1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6MWI1NzdhOGZiOGNlMjUwMjNhMGVjMGExN2E2ZGMzZDZhYTljY2E5ODlmNzU0NTc4MDBjYjU1MTc5ZWUyZTgzNCJdfSwidmFyaWFudCI6InY4In0=",
"imageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"imageSize": 7454073,
"layers": [
{
"digest": "sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834",
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 7454073
}
],
"manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjoxNDg3LCJkaWdlc3QiOiJzaGEyNTY6ZDMxNTZmZWM4YmNiYzdiNDkxYTRlZGMyNzFhNzczNGRjZmExODZmYzczMjgyZDRlMTIwZWVhYWYyY2U5NWM0MyJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo3NzQ1NTM2LCJkaWdlc3QiOiJzaGEyNTY6MWI1NzdhOGZiOGNlMjUwMjNhMGVjMGExN2E2ZGMzZDZhYTljY2E5ODlmNzU0NTc4MDBjYjU1MTc5ZWUyZTgzNCJ9XX0=",
"manifestDigest": "sha256:fcf2aaf52719a175f453a6a3f18a3859b8a68150cd5e33d37a3e1fb7205b9c7d",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"os": "linux",
"repoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"tags": [
"alpine:latest"
],
"userInput": "alpine:latest"
},
"type": "image"
}
},
"secrets": {
"ArtifactName": "alpine:latest",
"ArtifactType": "container_image",
"Metadata": {
"DiffIDs": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"ImageConfig": {
"architecture": "arm64",
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:9b54dde3b3d9eaa8c071ee8e7cda998e0fdbeb36f768a6f85a1a1219df51c24f"
},
"container": "212256a84b01278ea47cd3cd2f4a204904d6d99825659fd0c4210b71e3cb55f1",
"created": "2022-11-22T22:39:21.176490905Z",
"docker_version": "20.10.17",
"history": [
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) ADD file:685b5edadf1d5bf0aeb2aec35f810d83876e6d2ea0903b213f75a9c5f0dc5901 in / "
},
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"diff_ids": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"type": "layers"
}
},
"ImageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"OS": {
"Family": "alpine",
"Name": "3.17.0"
},
"RepoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"RepoTags": [
"alpine:latest"
]
},
"SchemaVersion": 2
},
"configs": {
"ArtifactName": "alpine:latest",
"ArtifactType": "container_image",
"Metadata": {
"DiffIDs": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"ImageConfig": {
"architecture": "arm64",
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:9b54dde3b3d9eaa8c071ee8e7cda998e0fdbeb36f768a6f85a1a1219df51c24f"
},
"container": "212256a84b01278ea47cd3cd2f4a204904d6d99825659fd0c4210b71e3cb55f1",
"created": "2022-11-22T22:39:21.176490905Z",
"docker_version": "20.10.17",
"history": [
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) ADD file:685b5edadf1d5bf0aeb2aec35f810d83876e6d2ea0903b213f75a9c5f0dc5901 in / "
},
{
"created": "2022-11-22T22:39:21Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"diff_ids": [
"sha256:1b577a8fb8ce25023a0ec0a17a6dc3d6aa9cca989f75457800cb55179ee2e834"
],
"type": "layers"
}
},
"ImageID": "sha256:d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43",
"OS": {
"Family": "alpine",
"Name": "3.17.0"
},
"RepoDigests": [
"alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
],
"RepoTags": [
"alpine:latest"
]
},
"SchemaVersion": 2
},
"policy-results": [
{
"filename": "root",
"namespace": "main",
"successes": 5,
"failures": [
{
"msg": "vulnerability.rego failed - Found High software vulnerability: CVE-2022-3996"
},
{
"msg": "docker.rego failed - 4.1 Ensure a user for the container has been created (Scored) level 1"
},
{
"msg": "docker.rego failed - 4.6 Ensure HEALTHCHECK instructions have been added to the container image (Scored) level 1"
},
{
"msg": "docker.rego failed - 4.9 Ensure COPY is used instead of ADD in Dockerfile (Not Scored) level 1"
}
]
}
],
"policy-passed": false
}
Example table findings
Scans with the table
format flag display results in four sections: Vulnerabilities, Misconfigurations, Secrets, and Policy Results. Each section provides details, such as the type and severity, of each finding.
./veracode scan --source https://github.com/bridgecrewio/terragoat --type repo -f table
Vulnerabilities
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
@actions/core 1.6.0 1.9.1 npm GHSA-7r3h-m5j6-3q42 Medium
@xmldom/xmldom 0.7.5 0.7.7 npm GHSA-crh6-fp67-6883 Critical
async 2.6.3 2.6.4 npm GHSA-fwr7-v2mv-hh25 High
commons-compress 1.15 1.19 java-archive GHSA-53x6-4x5p-rrvv High
commons-compress 1.20 1.21 java-archive GHSA-7hfm-57qf-j43q High
...
Misconfigurations
TITLE PROVIDER ID SEVERITY
aws_instance should activate session tokens for Instance Metadata Service. AWS AVD-AWS-0028 HIGH
IAM policy should avoid use of wildcards and instead apply the principle of AWS AVD-AWS-0057 HIGH
least privilege
RDS Cluster and RDS instance should have backup retention longer than default 1 AWS AVD-AWS-0077 MEDIUM
day
RDS encryption has not been enabled at a DB Instance level. AWS AVD-AWS-0080 HIGH
A database resource is marked as publicly accessible. AWS AVD-AWS-0082 CRITICAL
...
Secrets
FILE SECRET TYPE SEVERITY
terraform/aws/ec2.tf AWS Access Key ID CRITICAL
terraform/aws/ec2.tf AWS Secret Access Key CRITICAL
terraform/aws/lambda.tf AWS Access Key ID CRITICAL
terraform/aws/lambda.tf AWS Secret Access Key CRITICAL
terraform/aws/providers.tf AWS Access Key ID CRITICAL
terraform/aws/providers.tf AWS Secret Access Key CRITICAL
...
Policy Results
TYPE MESSAGE
Config Found CRITICAL issues in infrastructure as code: terraform/aws/db-app.tf: A
database resource is marked as publicly accessible.
Config Found CRITICAL issues in infrastructure as code: terraform/aws/db-app.tf: An
egress security group rule allows traffic to /0.
Secret Found CRITICAL secret: terraform/aws/ec2.tf: AWS Access Key ID
Secret Found CRITICAL secret: terraform/aws/ec2.tf: AWS Secret Access Key
Vulnerability Found Critical software vulnerability: GHSA-4w2j-2rg4-5mjw
Vulnerability Found Critical software vulnerability: GHSA-6pw2-5hjv-9pf7
...
Policy Passed = false