March 21, 2023

Deepfactor 3.2 Adds SBOM and Runtime Correlation for SCA To Help Customers Improve Supply Chain Security


On-Demand Webinar: Integrating SBOMs Into Your SDLC By June Executive Order Deadline

Including panelists from Cisco and VMware.

Watch Now >

With the June 2023 Supply Chain Security executive order looming, Deepfactor 3.2 introduces important SCA, SBOM, and runtime security enhancements designed to help customers reduce risk, improve supply chain security, and comply with U.S. presidential Executive Order 14028.

Deepfactor Release 3.2 Overview

In addition to detecting security risks at runtime in dev and test environments, Deepfactor Developer Security 3.2 can now scan static artifacts (container images / source code) in the CI/CD pipeline to generate SBOMs, as well as detect SCA vulnerabilities. Deepfactor correlates findings from static scanning and runtime security usage information to provide developers a unified view of their applications’ security posture. This correlated data helps developers prioritize and filter alerts based on the runtime context and behavior of the vulnerable components.

For additional details on the Deepfactor Developer Security 3.2 release, please review the Release Notes in Deepfactor documentation.

Release 3.2 Highlights

New FeaturesEnhancements
  • Creation of SBOMs in CycloneDX and SPDX formats
  • Static scanning of artifacts (containers and code) within the build pipeline to generate SBOMs and vulnerabilities
  • Static scanning of container images when pods are started in K8s clusters to generate SBOMs and vulnerabilities
  • SCA vulnerability alerts
  • Alert when dependencies with unsupported license types (such as GPL) are added to containers/code
Runtime Enriched SCA
Runtime AnalysisPerformance optimization in Deepfactor runtime to reduce CPU consumption during the launch of the instrumented application container
IntegrationsDeepfactor Jira integration now supports additional mandatory field types like user id and version.


Release 3.2 Details

Deepfactor Developer Security 3.2 introduces static scanning of artifacts, which will enable developers to find vulnerabilities in their CI/CD pipelines so they can proactively fix vulnerabilities early in dev and test. The Deepfactor scanner supports a wide range of OS distributions and programming language dependencies as specified in the Deepfactor support matrix.

Deepfactor SBOM Capabilities

Deepfactor Developer Security 3.2 now includes the ability to produce, operationalize, and consume SBOMs at scale as part of the SDLC. Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically groups multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level. The Deepfactor portal provides a searchable and filterable human-readable interface to help security teams quickly respond to zero-day vulnerabilities, developers to fix vulnerabilities, and customers to verify the supply chain security of their software. This document describes how customers can integrate Deepfactor SCA scanning in CI/CD pipelines.

And to learn more about integrating SBOMs into your CI/CD pipeline to meet the June 2023 Executive Order on security, check out this on-demand webinar.

On-Demand Webinar

Integrating SBOMs into Your SDLC By the Biden Executive Order June Deadline

Watch Now >
SBOM On Demand for Feature

On-Demand Webinar: Integrating SBOMs Into Your SDLC By June Executive Order Deadline

Including panelists from Cisco and VMware.

Watch Now >

Subscribe to our monthly eNewsletter and stay up-to-date on everything Deepfactor has to offer!