With Deepfactor, you can achieve the following goals
- Scan your artifacts (container images / filesystem) to generate SBOM and find SCA vulnerabilities
- Observe your running workloads (container instances / non-containerized applications) for runtime risks
- Co-relate findings from static artifact scans and running workloads
Support matrix for artifact scanning #
Deepfactor’s artifact scanner detects both OS packages and language specific application dependencies during the scan. It then also pulls vulnerability information from multiple data sources listed in the following document
Deepfactor Scanner data sources
Support matrix for Container Scans #
Deepfactor detects official OS packages installed using the package manager and does not detect self-compiled packages/binaries. The following table shows the list of supported distributions.
OS | Supported Versions | Target Packages | Detection of fixed/unfixed vulnerabilities |
---|---|---|---|
Alpine Linux | 2.2 – 2.7, 3.0 – 3.17, edge | Installed by apk | Fixed only |
Wolfi Linux | (n/a) | Installed by apk | Fixed only |
Red Hat Universal Base Image | 7, 8, 9 | Installed by yum/rpm | Fixed and Unfixed |
Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | Fixed and Unfixed |
CentOS | 6, 7, 8 | Installed by yum/rpm | Fixed and Unfixed |
AlmaLinux | 8 | Installed by yum/rpm | Fixed only |
Rocky Linux | 8 | Installed by yum/rpm | Fixed only |
Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | Fixed only |
CBL-Mariner | 1.0, 2.0 | Installed by yum/rpm | Fixed and Unfixed |
Amazon Linux | 1, 2, 2022 | Installed by yum/rpm | Fixed only |
openSUSE Leap | 42, 15 | Installed by zypper/rpm | Fixed only |
SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | Fixed only |
Photon OS | 1.0, 2.0, 3.0, 4.0 | Installed by tdnf/yum/rpm | Fixed only |
Debian GNU/Linux | wheezy, jessie, stretch, buster, bullseye | Installed by apt/apt-get/dpkg | Fixed and Unfixed |
Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | Fixed and Unfixed |
Distroless | Any | Installed by apt/apt-get/dpkg | Fixed and Unfixed |
Support matrix for language specific dependencies detection #
Deepfactor can detect language specific application dependencies in your filesystem and container images. It scans the files present in your artifact and looks for language specific dependencies file like package-lock.json, Gemfile.lock to gather the list of application dependencies and then queries the vulnerabilities associated with them from various vulnerability sources.
The following table provides the support matrix for language specific dependencies that are detected by the Deepfactor scanner.
Language | File | Image | Filesystem | Dev dependencies |
---|---|---|---|---|
Ruby | Gemfile.lock | No | Yes | Yes |
gemspec | Yes | No | Yes | |
Python | Pipfile.lock | No | Yes | No |
poetry.lock | No | Yes | No | |
requirements.txt | No | Yes | Yes | |
egg package (*.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO) |
Yes | No | No | |
wheel package (.dist-info/META-DATA) |
Yes | No | No | |
PHP | composer.lock | No | Yes | No |
installed.json | Yes | No | No | |
Node.js | package-lock.json | No | Yes | No |
yarn.lock | No | Yes | Yes | |
pnpm-lock.yaml | No | Yes | No | |
package.json | Yes | No | No | |
.NET | packages.lock.json | Yes | Yes | Yes |
packages.config | Yes | Yes | No | |
.deps.json | Yes | Yes | No | |
Java | JAR/WAR/PAR/EAR (*.jar, *.war, *.par and *.ear) | Yes | No | Yes |
pom.xml | No | Yes | No | |
*gradle.lockfile | No | Yes | No | |
Go | Binaries built by Go (UPX-compressed binaries not supported) | Yes | No | No |
go.mod (For go version 1.17 or older, go.sum is also required) | No | Yes | Yes | |
Rust | Cargo.lock | Yes | Yes | Yes |
Binaries built with cargo-auditable | Yes | No | No | |
C/C++ | conan.lock | No | Yes | No |
Elixir | mix.lock | No | Yes | No |
Dart | pubspec.lock | No | Yes | Yes |
Support matrix for observing running workloads #
In addition to scanning artifacts, Deepfactor can also observe running workloads (container instances / non-containerized applications) to detect runtime security risks. While Deepfactor instrumentation technology is language agnostic and can observe applications written in any programming language, it is dependent on the OS distribution on which your application is running. The following table describes the list of OS distributions supported by Deepfactor for observing running workloads.
Supported Operating System | Traditional/ Non-Container Deployments |
Kubernetes Deployments (works on any Node OS) |
Container Deployments Without Kubernetes (Only Docker Container runtime is supported) |
|
Pod Image OS | Container Host OS | Container Base Image | ||
Ubuntu 18.04 & above | Yes* | Yes* | Yes* | Yes* |
CentOS 7 & above | Yes* | Yes* | Yes* | Yes* |
RedHat 7 & above | Yes | Yes | Yes | Yes |
Pop!_OS 18.04 & above | Yes | Yes | Yes | Yes |
Alpine 3.9 & above | No | Yes | No | Yes |
Debian 10 & above | Yes | Yes | Yes | Yes |
Amazon Linux 1 and 2 | Yes | Yes | Yes | Yes |
Oracle Linux 7.x & 8.x | Yes | Yes | Yes | Yes |
Rocky Linux 8.x | Yes | Yes | Yes | Yes |
Chainguard Distroless images** | Yes | Yes | Yes | Yes |
SUSE SLES 12 SP5 & SUSE SLES 15 SP2 | Tech Preview | Tech Preview | Tech Preview | Tech Preview |
* Validated at Deepfactor
** Tested Chaingaurd Wolfi OS, Chainguard alpine OS, and Chainguard Melange images for Java, Node, Python, Rust, and Ruby. OS package usage is unavailable for distroless images.
Any Linux Distribution running glibc verison >= 2.17 (or musl >= 1.1.20-r5 for Alpine) is supported by Deepfactor, but telemetry data may be limited if it doesn’t use rpm, dpkg or apk package management. (e.g. Arch Linux)
For Kubernetes orchestration deployments
For running kubernetes workloads with Deepfactor, we provide a mutating admission webhook. The minimum kubernetes version supported by Deepfactor’s mutating admission webhook is 1.23.
Which OS/platforms/applications are NOT supported by Deepfactor?
- Windows, MacOS and Android OS
- Apps written using statically compiled languages such as Golang
- distro-less containers
- serverless functions (containers running in serverless platforms are supported)
Known limitations
Deepfactor sets LD_PRELOAD to inject the Deepfactor runtime into your application. If you are using another tool that is setting LD_PRELOAD, Deepfactor will not be injected and a warning will be shown on Deepfactor portal UI.