Deepfactor Scanner

Table of Contents

Deepfactor can scan software artifacts such as container images and source code to generate software bill of materials (SBOM) and find SCA vulnerabilities. In order to allow scanning at different stages of the SDLC, Deepfactor provides the following different ways of scanning artifacts

  1. Deepfactor CLI (dfctl): Developers can scan their code/container images in the terminal using dfctl. Refer to the following article to understand how to scan artifacts using Deepfactor CLI
    Scanning your artifacts with dfctl
  2. Deepfactor CLI container image: Deepfactor also packages the CLI, dfctl in a container image which can be used in CI/CD pipelines to run scans against your images or file sytems. Refer to the following article to understand how you can use this container image in your CI/CD pipelines
    Integrate Deepfactor scanner in your CI/CD pipelines
  3. Deepfactor K8s scan pod: Deepfactor can deploy one or more scan pods in your K8s cluster which will automatically scan container images used by pods launched in your K8s cluster.

In order for Deepfactor to access and scan container images from private registries, you will need to specify registry credentials. Refer to the following article to understand how to pass registry credentials to Deepfactor scanner.
Scanning images from private registries using Deepfactor

 

Deepfactor Scanner results #

Deepfactor scanner supports the following output formats

  1. CycloneDX compliant SBOM
  2. SPDX compliant SBOM as key value and/or json
  3. Deepfactor json format
  4. Table

You can view the results in above formats in the following ways

  1. On the terminal output if you are using dfctl
  2. As a file stored on disk where the scan is performed
  3. As a CI/CD pipeline output artifact
  4. On the Deepfactor portal UI

The Deepfactor portal UI shows the results of each scan performed and also the history of scans for older versions of the artifacts. This allows you to compare the results across versions of your artifacts.

 

Offline scans #

Under some special circumstances, you may notice an offline tag next to a scan on the Deepfactor portal UI. This implies that Deepfactor had to re-run the scan in an offline mode. During the scan, Deepfactor scanner parses the layers of your image. The scanner looks up a local database to get GAV (groupId, artifactId, version) when it encounters java dependencies whose GAV cannot be found in pom.xml. GAV is required to query vulnerabilities for java packages. If there is an error in parsing or looking up GAV, Deepfactor scanner automatically restarts the scan in offline mode. In this mode, Deepfactor scanner does not lookup the local db for GAV and hence cannot query vulnerabilities for such java packages. Thus, in this mode, although the scanner provides the full SBOM, it will not be able to pull vulnerability information for the set of java packages whose GAV is not found in pom.xml. You will also be able to see the error on the UI when you click the offline tag. Refer to the following article which describes the reason and possible remediation for common error scenarios you may encounter during scans.

Deepfactor scan errors
Note: As mentioned above, Deepfactor automatically detects certain types of errors and restarts the scans in offline mode. This can result in higher scan times and some scans may timeout. In such cases, please increase the scan timeout using the -u option as described in the following article

Scanning your artifacts with dfctl

 

Deepfactor artifacts UI #

The following section describes the UI pages shown on the portal for artifact results.

Artifacts Dashboard #

You can see the artifacts dashboard by navigating to Artifacts from the left sidebar.

 

Artifacts dashboard captures the unique set of artifacts (images, filesystems) scanned along with summary of the last successful scan.

Artifact Name

Deepfactor uses a unique name for each artifact and stores the results of all subsequent scans of the same or different versions of the artifact under that artifact name.

In the case of container images, the artifact name is the image path without the tag.

Example:

For the image, deepfactor.repo:8442/myservice:version1

Artifact name: deepfactor.repo:8442/myservice

Version: version1

Subsequently, if you scan deepfactor.repo:8442/myservice:version2, version2 will be considered another version of the same artifact, deepfactor.repo:8442/myservice:version1

In the case of file system scans, you will need to provide the following details:

  • application name
  • component name
  • component version

Deepfactor use the concatenation of application name and component name as artifact name and the component version as the version of the artifact.

Example:

If you used the following command to scan

dfctl scan -s fs -a “myapp” -c “mycomp” -V “1.0” mydir/service

Artifact name: myapp:mycomp

Artifact version: 1.0

If you would like to see the results of scans of older versions of your artifacts, you can click on the All Versions button

 

Artifact Scan Results #

The results of the scan are shown under multiple tabs on the UI. The following section describes the information shown in the different tabs

Risk

The risk tab gives an overview of the scan results such as policy violations, general information about the artifact and vulnerability summary.

 

Layers

Deepfactor detects the different layers found in your container images and also ties the vulnerabilities to the layer it is found in. This will help your developers identify if the vulnerability is present in the base image or due to a command in the Dockerfile used to generate the image.

 

Vulnerabilities

This tab lists the full list of vulnerabilities found in the container image. Each vulnerability is tied to a resource, resource version and target. If your container image has multiple applications such as a java application, a go binary, a python project etc, Deepfactor will detect them and also tag each vulnerability to the application target within the container.

 

Artifact Information

This tab provides basic information about the scanned artifact including environment variables. Sometimes sensitive information is passed as environment variables which is a bad security practice. Please ensure you remove any sensitive information from environment variables.

 

Alerts

While scanning the artifact, you can specify the policy. This tab lists all violations of policy rules.

 

Workloads

This tab lists all of the running components that use the same artifact. This gives you visibility in the usage of a particular artifact (container image/source) in your deployed applications.

 

SBOM

This tab lists all resources (OS packages and dependencies) detected in your artifact along with any vulnerabilities and alerts associated with them.

 

Scan History

This tab shows a list of scans that were performed in the past for a given artifact version.

Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Request a Quote Demo

SUBSCRIBE TO OUR NEWSLETTER!

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure