Run Container Security scans

Veracode Container Security scans return vulnerability data and policy evaluations based on several categories of findings.

Scan your repos

Use Veracode Repository Scanning to run scans and access the results in your repos, or access the results in the Veracode Platform. Repository Scanning runs IaC scans in addition to Veracode Pipeline Scan (SAST) and Veracode SCA Agent-based Scan.

Scan using the CLI

Scan containers and IaC using the Veracode CLI.

To identify exposed secrets and other sensitive information, such as credit card numbers, CI/CD token values, or any other proprietary secrets, configure secret rules.

Before you begin:

Ensure you meet the prerequisites.
If you want to apply a custom security policy to assess the scan results against, ensure you have created or identified a custom policy.
To scan in a Docker container, ensure you have installed a package containing compatibility libraries for glibc, such as libc6-compat.
To access the scan results in the Veracode Platform, before scanning, you must set analysis_on_platform to true in your veracode.yml file.

To complete this task:

Open a command prompt.
Optionally, to fetch a custom security policy to apply to the scan results, run:
```
./veracode policy get demo-policy-container-scan
```
The preceding command fetches the policy demo-policy-container-scan in Rego format. To check if the policy is downloaded, run ls -ltr.

important
To download a policy in the Rego format, create the policy for Container and IaC scans only. If a policy contains rules for both SCA and Container and IaC scans, you can't download it.
To detect sensitive information, such as secrets and keys, configure secret rules in your veracode.yml file. The scan applies these rules during scanning.
Run the scan command with the appropriate flags.

For example:

To scan an image and apply the downloaded demo policy, run:
```
./veracode scan --source alpine:latest --type image --policy demo-policy-container-scan.rego
```
To scan and detect secrets in a directory, run:
```
./veracode scan --source <your_project_directory> --type directory
```
To scan and detect secrets in a repository, run:
```
./veracode scan --source <your_repo_URL> --type repo
```
To display the output in table format, include the -table flag.

To print the output to a JSON file, run:
```
./veracode scan --source alpine:latest --type image -o alpine-latest.json
```
You can share this JSON file or save it as an artifact in a pipeline.
Review the scan results.

Configure secret rules

To ensure accurate and organization-specific detection of secrets based on defined keys and secret patterns, add secret rules to your veracode.yml file.

To complete this task:

Edit the veracode.yml file in your .veracode directory.

Under container_scan:, add a secret-rules: parameter that includes a bulleted list of secret rules to apply to your container and Infrastructure as Code (IaC) scans. For example:

api:
 key-id: 1*************1****
 key-secret: c*********************************************************a
container_scan:
   secret-rules:
   - id: test for app secrets
     category: Passwords
     title: App Secret
     severity: HIGH
     group-name: secret
     regex: (?i)(?P<key>APP_SECRET_KEY)\s*[:=]*\s*(?P<secret>[^\s,]*)
   - id: Test for app id
     category: Passwords
     title: App ID
     severity: HIGH
     group-name: secret
     regex: (?i)(?P<key>APP_ID)\s*[:=]*\s*(?P<secret>[^\s,]*)

Ensure there are no syntax errors in the YAML file.
Save your changes.
To apply the secret rules, start a scan.

Apply secret rule

For Veracode CLI to pick up the rules in veracode.yml, this file must be available in the .veracode folder in your current user's home folder. Create a GitHub task that creates the .veracode folder in your current user's home directory and then copies the veracode.yml file to this folder. This task will be run with the pipeline.

For example, if the veracode.yml file exists inside the secrets folder in the repository, write a GitHub task that contains the following content:

    - name: Copy yml
      run: |
         orgFolder=$(pwd)
         cd ~
         mkdir .veracode
         cd .veracode
         cp $orgFolder/secrets/veracode.yml ./

If the veracode.yml file is not available in the CI system, create this file and place it in the correct location.

Secret rule parameters

To detect secrets and other sensitive information during scanning, use the following parameters to add secret rules to the veracode.yml file in your .veracode directory.

Parameter	Description	Example
`id` Required	Descriptive identifier for the rule.	`Test for Azure client id and tenant id`
`category`	The category of secret, such as passwords, keys, or tokens.	`Passwords`
`title` Required	Brief title for the rule.	`Client ID`
`severity` Required	The relative importance of the rule, in terms of its impact on the security of your containers and IaC.	`HIGH`
`group-name`	Name you can use to categorize rules for reporting or organizational purposes.	`API keys`
`regex` Required	Regular expression that defines the pattern to use when searching for secrets in the scanned files. Must match the RE2 syntax.	`(?i)(?P<key>APP_ID)\s[:=]\s(?P<secret>[^\s,])`

Supported keys

Veracode Container Security detects the following keys in container and IaC files:

AWS, Adobe, Age, Alibaba, Asana, AsymmetricPrivateKey, Atlassian
Beamer, Bitbucket
Clojars, ContentfulDelivery,
Databricks, Discord, Doppler, Dropbox, Duffel, Dynatrace
Easypost
Facebook, Fastly, Finicity, Flutterwave, Frameio
GitHub, GitLab, GoCardless, Google, Grafana
HashiCorp, Heroku, HubSpot
Intercom, Ionic
Linear, LinkedIn, Lob
Mailchimp, Mailgun, Mapbox, MessageBird
NewRelic, Npm
Planetscale, Postman, Pulumi, PyPI,
RubyGems
SendGrid, Sendinblue, Shippo, Shopify, Slack, Stripe
Twilio, Twitch, Twitter
ypeform

Secret detection limitations

The following table lists the file and code paths where the Veracode CLI will not detect secrets.

Files and paths	Ignored files and paths
Python `.dist-info` metadata directories	`.dist-info/`
Test files and paths	`test`, `-test`, `_test`, `.test`, any file starting with `test` (case-insensitive)
Example files and paths	`example`
Vendor directories	`/vendor/`
System directories	`usr/share/`, `usr/include/`, `usr/lib/`
Locales directories	`locales/`, `/locale/`
Markdown files	`.md` extension
Node container images	`opt/yarn-v[any combination of digits and "." symbols]/`
Go container images	`usr/local/go/`
Python container images	`usr/local/lib/python[any combination of digits and "." symbols]/`
Ruby container images	`usr/lib/gems/`
WordPress container images	`usr/src/wordpress/`
Anaconda CI logs in container images	`var/log/anaconda/`

Supported configuration types

The following table lists the IaC file types for which Veracode detects vulnerabilities:

Config type	File patterns
Kubernetes	.yml, .yaml, *.json
Docker	Dockerfile, Containerfile
Terraform	.tf, .tf.json, *.tfvars
Terraform Plan	tfplan, .tfplan, .json
CloudFormation	.yml, .yaml, *.json
Azure ARM Template	*.json
Helm	.yaml, .tpl, *.tar.gz, etc.
YAML	.yaml, .yml
JSON	*.json

Scan your repos​

Scan using the CLI​

Configure secret rules​

Apply secret rule​

Secret rule parameters​

Supported keys​

Secret detection limitations​

Supported configuration types​

Did you find this helpful?