Table of Contents
Vulnerability scans are critical tools for identifying security weaknesses within a system. These scans enable organizations to detect vulnerabilities early, allowing for timely remediation before they can be exploited by malicious actors. By integrating regular vulnerability scans into the Software Development Life Cycle (SDLC), organizations can ensure that their applications remain secure throughout their development and deployment.
An SBOM is an essential component in software development and security. It provides a comprehensive list of all components, libraries, and dependencies used in software, along with their corresponding versions and license information. The SBOM aids in managing vulnerabilities effectively by offering clear insights into the software components that are susceptible to security threats. By leveraging an SBOM, organizations can streamline the process of tracking, updating, and securing software components, thereby enhancing the overall security posture.
Yara Hunter standard CI/CD ruleset: https://github.com/deepfence/YaraHunter
Malware scans using YARA fit into the SBOM and vulnerability scan workflow by providing an additional layer of security analysis, particularly targeting the identification of malware signatures and patterns within software components.
Syft is a versatile open-source tool developed by Anchore, designed for generating Software Bills of Materials (SBOMs) from container images and filesystems. https://github.com/anchore/syft
Key features:
Multiple Format Support: Syft can generate SBOMs in several formats, including SPDX, CycloneDX, and its native JSON format, catering to different compliance and integration needs.
Comprehensive Analysis: It can scan container images and filesystems to produce detailed SBOMs that include not just software packages but also file metadata and contents, leveraging digests such as SHA-256 and SHA-1 for file verification.
Flexible Cataloging: The tool offers advanced options for cataloging packages within various types of archives, enhancing its ability to discover and document components in both indexed and non-indexed archives.
Configuration and Extensibility: Users can configure Syft to exclude certain types of packages or perform targeted scans based on specific needs, such as excluding synthetic binary packages that overlap with non-synthetic ones.
Integration with Vulnerability Scanners: Syft’s SBOMs can be integrated with tools like Grype, Anchore’s vulnerability scanner, to enable detailed vulnerability assessment based on the components listed in the SBOM.
Remote License Fetching: Syft can retrieve licensing information from remote sources, such as package-lock.json files, helping maintain compliance with open-source licensing.
Grype is a powerful vulnerability scanner for container images and filesystems, developed by Anchore. https://github.com/anchore/grype
Key features:
Broad Compatibility: Grype can scan a variety of Linux distributions, including Alpine, CentOS, Debian, and Ubuntu. It supports multiple package formats such as RPM, DEB, Python packages, Ruby Bundles, NPM/Yarn packages, Java artifacts, and Go modules.
Comprehensive Vulnerability Matching: Utilizes a vulnerability database that aggregates data from multiple sources like Alpine Linux SecDB, Debian CVE Tracker, and the National Vulnerability Database, ensuring broad coverage of known vulnerabilities.
Configurable Severity Levels: Users can configure Grype to fail scans based on the severity of the vulnerabilities found, with options ranging from negligible to critical. This feature allows for flexible integration into CI/CD pipelines, where builds can be failed based on security criteria.
Output Formats: Grype supports multiple output formats, including table, JSON, and SARIF, making it easy to integrate and parse scan results in different systems and tools
Database Management: Grype manages its vulnerability database automatically, checking for updates before each scan to ensure the most up-to-date security data is used. Users can also manually manage the database, configure its update frequency, or operate entirely offline in air-gapped environments.
VEX Support: Grype can interpret Vulnerability Exploitability eXchange (VEX) documents to better understand the context of vulnerabilities, adjusting its reporting based on these inputs.
Malware research and classification tool: https://virustotal.github.io/yara/
Build New Container Image
SBOM Generation with Syft
Vulnerability Scan with Gype
Generating an SBOM for our Docker image
Malware Scan with Yara
Publish Container Image and SDLC metadata as OCI Artifacts
ORAS OCI Client: https://github.com/oras-project/oras
# ORAS OCI CLI Installation
$ VERSION="1.1.0"
$ curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
$ mkdir -p oras-install/
$ tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
$ sudo mv oras-install/oras /usr/local/bin/
$ rm -rf oras_${VERSION}_*.tar.gz oras-install/
#Install Syft
$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Grype
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
$ curl -O https://secure.eicar.org/eicar.com.txt
$ docker run -d –restart=always -p “127.0.0.1:5000:5000” –name reg registry:2
$ cat <WORKDIR /app
COPY ./eicar.com.txt /app EOF
$ docker build -f Dockerfile -t localhost:5000/alpine1:0.1 .
$ docker push localhost:5000/alpine1:0.1
$ docker sbom –format spdx-json –output sbom.txt localhost:5000/alpine1:0.1
$ docker sbom –format spdx-json localhost:5000/alpine1:0.1 | /usr/local/bin/grype > vuln-scan.txt
$ docker run -i –rm –name=deepfence-yarahunter -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/deepfence_malware_scanner_ce:2.0.0 –image-name localhost:5000/alpine1:0.1 –output=json > malware-scan.json
$ oras attach localhost:5000/alpine-prod:0.1 sbom.txt –artifact-type example/sbom
$ oras attach localhost:5000/alpine-prod:0.1 vuln-scan.txt –artifact-type example/doc
$ oras attach localhost:5000/alpine-prod:0.1 malware-scan.json –artifact-type example/doc
$ oras discover localhost:5000/alpine-prod:0.1 -o tree
By incorporating YARA scans into the SBOM and vulnerability scanning workflow, organizations can achieve a more comprehensive security assessment, protecting against both known vulnerabilities and potential malware threats embedded within their software supply chain. This multi-layered approach is crucial for maintaining the integrity and security of software applications in today’s threat landscape.
Makefile (Jenkins / Gitlab / Actions) Example:
REG_URL := “kurtisvelarde.com:5000” NAME := “alpine-eicar” VERSION := “0.1”
build: ## Docker Build @docker build . -t $(REG_URL)/$(NAME):$(VERSION)
push: ## Push to local registry @docker push $(REG_URL)/$(NAME):$(VERSION)
sign: ## Sign with build key @cosign sign –key ~/.sigstore/cosign.key kurtisvelarde.com:5000/alpine-eicar:0.1
verify: ## Cosign verify @cosign verify –key https://kurtisvelarde.com/build/cosign.pub kurtisvelarde.com:5000/alpine-eicar:0.1 cve-scan: @docker scout cves
trivy-scan: ## SAST Scan for High and Critical CVEs @trivy image –severity HIGH,CRITICAL $(REG_URL)/$(NAME):$(VERSION)
create-sbomb: ## Generate spdk (LinuxFoundation) @syft kurtisvelarde.com:5000/alpine-eicar:0.1 -o spdx > latest.spdx
attach-sbom: ## Attach sbom to image @cosign attach sbom –sbom latest.spdx kurtisvelar^C.com:5000/alpine-eicar:0.1 sign-sbom: ## Sign sbom with cosign key @cosign sign –key ~/.sigstore/cosign.key kurtisvelarde.com:5000/alpine-eicar:sha256-eda1dbd3ea70923db4482a669331cee9844ff82ca7915ed292001542357c8a7d.sbom
verify-sbom: ## Verify @ cosign verify –key https://kurtisvelarde.com/build/cosign.pub kurtisvelarde.com:5000/alpine-eicar:sha256-eda1dbd3ea70923db4482a669331cee9844ff82ca7915ed292001542357c8a7d.sbom test: ## Push to local registry docker run -it 127.0.0.1:5000/myimage:0.1 /bin/sh -c “uptime”
help: @grep -E ‘^[a-zA-Z_-]+:.?## .$$’ $(MAKEFILE_LIST) | sort | awk ‘BEGIN {FS = “:.*?## “}; {printf “\033[36m%-30s\033[0m %s\n”, $$1, $$2}’