Deepfactor can scan software artifacts such as container images and source code to generate software bill of materials (SBOM) and find SCA vulnerabilities. In order to allow scanning at different stages of the SDLC, Deepfactor provides the following different ways of scanning artifacts
- Deepfactor CLI (dfctl): Developers can scan their code/container images in the terminal using dfctl. Refer to the following article to understand how to scan artifacts using Deepfactor CLI
Scanning your artifacts with dfctl
- Deepfactor CLI container image: Deepfactor also packages the CLI, dfctl in a container image which can be used in CI/CD pipelines to run scans against your images or file sytems. Refer to the following article to understand how you can use this container image in your CI/CD pipelines
Integrate Deepfactor scanner in your CI/CD pipelines
- Deepfactor K8s scan pod: Deepfactor can deploy one or more scan pods in your K8s cluster which will automatically scan container images used by pods launched in your K8s cluster.
In order for Deepfactor to access and scan container images from private registries, you will need to specify registry credentials. Refer to the following article to understand how to pass registry credentials to Deepfactor scanner.
Scanning images from private registries using Deepfactor
Deepfactor Scanner data sources #
Deepfactor regularly pulls vulnerability feeds from the following data sources.
Data sources for OS package vulnerabilities #
|Arch Linux||Vulnerable Issues|
|Amazon Linux||Amazon Linux Security Center|
|Debian||Security Bug Tracker|
|Ubuntu||Ubuntu CVE Tracker|
|AlmaLinux||AlmaLinux Product Errata|
|Rocky Linux||Rocky Linux UpdateInfo|
|Photon OS||Photon Security Advisory|
Data sources for Language specific dependency vulnerabilities #
Deepfactor Scanner results #
Deepfactor scanner supports the following output formats
- CycloneDX compliant SBOM
- SPDX compliant SBOM as key value and/or json
- Deepfactor json format
You can view the results in above formats in the following ways
- On the terminal output if you are using dfctl
- As a file stored on disk where the scan is performed
- As a CI/CD pipeline output artifact
- On the Deepfactor portal UI
The Deepfactor portal UI shows the results of each scan performed and also the history of scans for older versions of the artifacts. This allows you to compare the results across versions of your artifacts.
Offline scans #
Deepfactor scan errors
Note: As mentioned above, Deepfactor automatically detects certain types of errors and restarts the scans in offline mode. This can result in higher scan times and some scans may timeout. In such cases, please increase the scan timeout using the -u option as described in the following article
Deepfactor’s correlation capabilities #
Deepfactor can scan your artifacts (container images / file system directories) to generate SBOM and find SCA vulnerabilities. Deepfactor can also observe running containers / non-containerized applications to detect runtime risks. The unique capability Deepfactor provides is that it can correlate the results of the scan and runtime observation so you get
- An unified view of your application’s security posture
- Additional information so you can priortize which vulnerabilities to fix earlier than others.
You can read more about Deepfactor’s correlation capabilities here.
Deepfactor artifacts UI #
The following section describes the UI pages shown on the portal for artifact results.
Artifacts Dashboard #
You can see the artifacts dashboard by navigating to Artifacts from the left sidebar.
Artifacts dashboard captures the unique set of artifacts (images, filesystems) scanned along with summary of the last successful scan.
Deepfactor uses a unique name for each artifact and stores the results of all subsequent scans of the same or different versions of the artifact under that artifact name.
In the case of container images, the artifact name is the image path without the tag.
For the image, deepfactor.repo:8442/myservice:version1
Artifact name: deepfactor.repo:8442/myservice
Subsequently, if you scan deepfactor.repo:8442/myservice:version2, version2 will be considered another version of the same artifact, deepfactor.repo:8442/myservice:version1
In the case of file system scans, you will need to provide the following details:
- application name
- component name
- component version
Deepfactor use the concatenation of application name and component name as artifact name and the component version as the version of the artifact.
If you used the following command to scan
dfctl scan -s fs -a “myapp” -c “mycomp” -V “1.0” mydir/service
Artifact name: myapp:mycomp
Artifact version: 1.0
If you would like to see the results of scans of older versions of your artifacts, you can click on the All Versions button
Artifact Scan Results #
The results of the scan are shown under multiple tabs on the UI. The following section describes the information shown in the different tabs
The risk tab gives an overview of the scan results such as policy violations, general information about the artifact and vulnerability summary.
Deepfactor detects the different layers found in your container images and also ties the vulnerabilities to the layer it is found in. This will help your developers identify if the vulnerability is present in the base image or due to a command in the Dockerfile used to generate the image.
This tab lists the full list of vulnerabilities found in the container image. Each vulnerability is tied to a resource, resource version and target. If your container image has multiple applications such as a java application, a go binary, a python project etc, Deepfactor will detect them and also tag each vulnerability to the application target within the container.
This tab provides basic information about the scanned artifact including environment variables. Sometimes sensitive information is passed as environment variables which is a bad security practice. Please ensure you remove any sensitive information from environment variables.
While scanning the artifact, you can specify the policy. This tab lists all violations of policy rules.
This tab lists all of the running components that use the same artifact. This gives you visibility in the usage of a particular artifact (container image/source) in your deployed applications.
This tab lists all resources (OS packages and dependencies) detected in your artifact along with any vulnerabilities and alerts associated with them.
This tab shows a list of scans that were performed in the past for a given artifact version.