Scan containers, IaC, and secrets
Use Veracode Container Security to test the security posture of your containers and Infrastructure as Code (IaC) files. To manage supply chain risk, you can also use it to generate a software bill of materials (SBOM) of your open-source components.
Securing your container and IaC assets helps your developers to prevent comprehensive exploits before runtime and gain visibility into their container pipeline security posture.
How can I use Veracode Container Security?
The following Veracode products support Veracode Container Security.
- Veracode CLI - run scans and access the results from a command line, or access the results in the Veracode Platform. You can also generate SBOMs.
- Veracode Repository Scanning - run scans and access the results in your repos, or access the results in the Veracode Platform. Repository Scanning runs IaC scans in addition to Veracode Pipeline Scan (SAST) and Veracode SCA Agent-based Scan.
- Veracode Platform - only supports viewing scan results.
Prerequisites
-
You must have a user account with the following roles.
- Submitter: to run scans
- Reviewer: to access scan results
-
To use the Veracode CLI, ensure you have installed the Veracode CLI and configured your authentication with Veracode.
-
To scan and review results in your repos, ensure you have set up Veracode Repository Scanning.
To access scan results in the Veracode Platform, before scanning, you must set analysis_on_platform to true in your veracode.yml file.
Asset types and scan types
Veracode Container Security scans an asset. The asset types are a repository, directory, container base image, or archive.
The scan type depends on the asset type. The scan type for a repository or directory is IaC, and the scan type for an image or archive is Container.
Vulnerability data sources
Veracode Container Security uses several data sources to detect and report vulnerabilities, including:
- Alpine Linux SecDB
- Amazon Linux ALAS
- Debian Linux Bug Tracker
- Github GHSAs
- National Vulnerability Database (NVD)
- Oracle Linux OVAL
- Red Hat Linux Security Data
- RedHat RHSAs: Security Data
- SUSE Linux OVAL
- Ubuntu Linux Security
In some cases, the severity Veracode reports for a CVE differs from the severity from the National Vulnerability Database (NVD). When a more specific source, such as a base image vulnerability database, provides a severity for a CVE, that more specific source takes precedence.
The vulnerability and policy databases are updated every 24 hours.
Host the vulnerability database locally
Veracode downloads the Grype database when the veracode scan command is run.
Grype updates the downloaded database daily, and Veracode Repository Scanning uses this database for subsequent scans.
When a newer version of the Grype database is released, the database is downloaded again, replacing the older one on the local system.
You can host this database at a preferred location and fetch it during a scan.
If you change the location of the Grype database, ensure that you keep it updated.
To complete this task:
-
Update Veracode CLI to version 2.41.0 or later.
-
Download the
latest.jsonfile of the Grype database. -
Host the database on a port. For example, to host the database on port 8000 using Python, run:
python3 -m http.server 8000Once hosted,
latest.jsonis reachable from the port. For example, if you hosted the database on port 8000, you can access it athttp://localhost:8000/latest.jsonNote that there are other ways to host the database. -
To store the location of the hosted database, set the environment variable
VULNERABILITY_DB_ENDPOINT. For example, if you hosted the database on port 8000 in your local system, run:export VULNERABILITY_DB_ENDPOINT=http://localhost:8000/latest.json -
To check if the database is displayed in the output, run a container scan in debug mode. In this example, where you hosted the database on port 8000 in your local system, the output should include the following log:
DBG grype db listing url url=http://localhost:8080`