Run Container Security scans

Veracode Container Security scans return vulnerability data and policy evaluations based on several categories of findings.

Scan your repos

Use Veracode Repository Scanning to run scans and access the results in your repos, or access the results in the Veracode Platform. Repository Scanning runs IaC scans in addition to Veracode Pipeline Scan (SAST) and Veracode SCA Agent-based Scan.

Scan using the CLI

Scan containers and IaC using the Veracode CLI.

To identify exposed secrets and other sensitive information, such as credit card numbers, CI/CD token values, or any other proprietary secrets, configure secret rules.

Before you begin:

Ensure you meet the prerequisites.
If you want to apply a custom security policy to assess the scan results against, ensure you have created or identified a custom policy.
To scan in a Docker container, ensure you have installed a package containing compatibility libraries for glibc, such as libc6-compat.
To access the scan results in the Veracode Platform, before scanning, you must set analysis_on_platform to true in your veracode.yml file.

To complete this task:

Open a command prompt.
Optionally, to fetch a custom security policy to apply to the scan results, run:
```
./veracode policy get demo-policy-container-scan
```
The preceding command fetches the policy demo-policy-container-scan in Rego format. To check if the policy is downloaded, run ls -ltr.

important
To download a policy in the Rego format, create the policy for Container and IaC scans only. If a policy contains rules for both SCA and Container and IaC scans, you can't download it.
To detect sensitive information, such as secrets and keys, configure secret rules in your veracode.yml file. The scan applies these rules during scanning.
Run the scan command with the appropriate flags.

For example:

To scan an image and apply the downloaded demo policy, run:
```
./veracode scan --source alpine:latest --type image --policy demo-policy-container-scan.rego
```
To scan and detect secrets in a directory, run:
```
./veracode scan --source <your_project_directory> --type directory
```
To scan and detect secrets in a repository, run:
```
./veracode scan --source <your_repo_URL> --type repo
```
To display the output in table format, include the -table flag.

To print the output to a JSON file, run:
```
./veracode scan --source alpine:latest --type image -o alpine-latest.json
```
You can share this JSON file or save it as an artifact in a pipeline.
Review the scan results.

Configure secret rules

To ensure accurate and organization-specific detection of secrets based on defined keys and secret patterns, add secret rules to your veracode.yml file.

To complete this task:

Edit the veracode.yml file in your .veracode directory.

Under container_scan:, add a secret-rules: parameter that includes a bulleted list of secret rules to apply to your container and Infrastructure as Code (IaC) scans. For example:

api:
 key-id: 1*************1****
 key-secret: c*********************************************************a
container_scan:
   secret-rules:
   - id: test for app secrets
     category: Passwords
     title: App Secret
     severity: HIGH
     group-name: secret
     regex: (?i)(?P<key>APP_SECRET_KEY)\s*[:=]*\s*(?P<secret>[^\s,]*)
   - id: Test for app id
     category: Passwords
     title: App ID
     severity: HIGH
     group-name: secret
     regex: (?i)(?P<key>APP_ID)\s*[:=]*\s*(?P<secret>[^\s,]*)

Ensure there are no syntax errors in the YAML file.
Save your changes.
To apply the secret rules, start a scan.

Secret rule parameters

To detect secrets and other sensitive information during scanning, use the following parameters to add secret rules to the veracode.yml file in your .veracode directory.

Parameter	Description	Example
`id` Required	Descriptive identifier for the rule.	`Test for Azure client id and tenant id`
`category`	The category of secret, such as passwords, keys, or tokens.	`Passwords`
`title` Required	Brief title for the rule.	`Client ID`
`severity` Required	The relative importance of the rule, in terms of its impact on the security of your containers and IaC.	`HIGH`
`group-name`	Name you can use to categorize rules for reporting or organizational purposes.	`API keys`
`regex` Required	Regular expression that defines the pattern to use when searching for secrets in the scanned files. Must match the RE2 syntax.	`(?i)(?P<key>APP_ID)\s[:=]\s(?P<secret>[^\s,])`

Supported keys

Veracode Container Security detects the following keys in container and IaC files:

AWS, Adobe, Age, Alibaba, Asana, AsymmetricPrivateKey, Atlassian
Beamer, Bitbucket
Clojars, ContentfulDelivery,
Databricks, Discord, Doppler, Dropbox, Duffel, Dynatrace
Easypost
Facebook, Fastly, Finicity, Flutterwave, Frameio
GitHub, GitLab, GoCardless, Google, Grafana
HashiCorp, Heroku, HubSpot
Intercom, Ionic
Linear, LinkedIn, Lob
Mailchimp, Mailgun, Mapbox, MessageBird
NewRelic, Npm
Planetscale, Postman, Pulumi, PyPI,
RubyGems
SendGrid, Sendinblue, Shippo, Shopify, Slack, Stripe
Twilio, Twitch, Twitter
ypeform

Secret detection limitations

The following table lists the locations where the Veracode CLI will not detect secrets.

Location	Code/path ignored for excluded metadata directories
`Python .dist-info metadata directories`	`\.dist-info\/`
`Test files and paths`	`(^(?i)test\|\/test\|-test\|_test\|\.test)`
`Example files and paths`	`example`
`Vendor directories`	`\/vendor\/`
`System directories`	`^usr\/(?:share\|include\|lib)\/`
`Locales directories`	`\/locales?\/`
`Markdown files`	`\.md$`
`Node container images`	`^opt\/yarn-v[\d.]+\/`
`Go container images`	`^usr\/local\/go\/`
`Python container images`	`^usr\/local\/lib\/python[\d.]+\/`
`Ruby container images`	`^usr\/lib\/gems\/`
`WordPress container images`	`^usr\/src\/wordpress\/`
`Anaconda CI logs in container images`	`^var\/log\/anaconda\/`

Scan your repos​

Scan using the CLI​

Configure secret rules​

Secret rule parameters​

Supported keys​

Secret detection limitations​

Did you find this helpful?