Getting Started with Deepfactor


In this video, we’re going to talk about Deepfactor’s next generation software composition analysis platform that combines traditional scanning of artifacts during the CI/CD pipeline with observing the applications from containers at runtime and correlating the two to tell you which of the vulnerable modules and components are actually loaded into memory. Let’s get started. You click on the Start button to start with on the top right, and that takes you to this page where you have a bunch of different options. If you simply want to scan your container images or scan your file system, which is just essentially a git clone for example, then you simply click on this option. You get your DFCTL command line tool, set your token and start scanning.

The DFCTL command can be used to scan your artifacts, whether they’re a container image or artifacts like your start files or your file system that is being checked in to determine three essential things: 1) determine and create bill of materials in CycloneDX and SPDX format, 2) get vulnerabilities and identify the list of vulnerabilities that your applications or artifact might be having, and 3), determine the licenses such as GPL, et cetera that your developers may have accidentally brought in. This command line tool, DFCTL, can be incorporated into your CI/CD pipelines. Whether you’re using Jenkins or GitLab or GitHub, you can incorporate this into the CI/CD pipeline so that developers get this information during development and testing and at build time. And if necessary, you can use policies to gate the builds so that in case vulnerabilities are accidentally brought into your components, then you gate the build and you make sure that it doesn’t go through to the next stage of your pipeline. That’s as far as the static scan is concerned.

Now, Deepfactor has the added capability, which is the unique capability, of observing applications as they’re running in your dev, test or possibly even production environments So let’s start with the Kubernetes option because that’s the most popular option that customers use with Deepfactor. If you want to observe your Kubernetes workloads to understand which are the vulnerable components loaded and used in memory, then you’d choose this option Kubernetes. Here you follow a simple wizard. You select the registry that you want. You essentially give your cluster name, create an override.yaml automatically here, and then you simply download the override.yaml and you use this Helm command to install the Deepfactor webhook or admission controller webhook into your Kubernetes environment. You can tweak the override.yaml to specifically call out certain namespace or certain containers that you want to observe, you want Deepfactor to observe and watch more.

If you don’t have Kubernetes, if you’re using plain Docker container, you can simply run this on your development laptop even using the same DFCTL command line tool, but using a DFCTL run option instead of a DFCTL scan option, which is what you would do on the left. So in your development environment or in your test environment, you can use DFCTL run to observe your running containers and understand malicious behaviors of new running containers, as well as usage of vulnerable modules within your running containers. If you’re using other types of container deployments such as Fargate or AWS ECS or Lambda with containers or Docker Swarm.

Where you don’t have, generally speaking, access to the underlying host to install something like an agent or a webhook-like mechanism, then Deepfactor gives you the option to incorporate a simple file,, into the container image itself. So you simply do a docker build with that option, and that allows you to create a container image that has in it which… And you can turn on or off the Deepfactor capability at runtime using an environment variable. This allows you to support a wide variety of container options. But let’s say you don’t have a containerized application, you have a traditional non-containerized application, Java, myapp.jar, you can use the DFCTL command line tool to run that as well. So you simply do a DFCTL run, myapp.jar, and that’ll get you to instrument a non-containerized application. So this is how you get started.