People who maintain #container images in (public) registries should consider using a vulnerability scanner like #trivy

I just scanned some of the containers I get from registries and the situation seems VERY bad. #security

💊Every treatment starts with accepting the diagnosis! Embrace the truth☝️
"You can be the next victim of the Software Supply Chain Attacks" UNLESS...
✍️Sign your software (#cosign)
🔔Do vulnerability scanning (#trivy #grype)
🚨 Protection at runtime (#kyverno #policycontroller)

Das folgende #tool richtet sich an alle, die mehr #Sicherheit für ihre #Software suchen. Mit #Trivy kann man sich auf die Suche nach #Sicherheitsproblemen in seinem #Code begeben. Praktisch ist es, #Git Repositorys auf solche Probleme scannen zu können um Sicherheitsprobleme bei verwendeter Software zu entdecken.

https://aquasecurity.github.io/trivy/v0.42/

#toolsday #security

It was a full room today at our talk with @itaysk about vulnerability management with #trivy and #OCI at #KubeCon2023 #KubeConEU! Thanks to all who joined us!

#KubeCon #KubeConEu

The demo was a bit too fast, I'll have to dig into the code https://github.com/itaysk/kubeconeu23-oci-vuln

#oci #regctl #trivy

#KubeCon #KubeConEU

🔏 📦 "Improve Vulnerability Management with OCI Artifacts - It's That Easy !" by Aqua Security & Azure Containers

#security #trivy #sbom #oci #docker #helm #notary #devsecops

If you ever wonder how #Trivy and #Grype compare, #GitLab did a pretty nice point-in-time comparison: https://gitlab.com/gitlab-org/gitlab/-/issues/327174

#infosec #ContainerSecurity #VulnerabilityScanner

I saw now several talks about companies using #kyverno to restrict deployments made to production.
They only allow deployments where #trivy or other scanners report a certain low amount of vulnerabilities. Also #sboms are checked for existence. Sometimes even more restrictions apply.

How do these companies handle then third party #docker images needed ? For example some official Python images?
Having some kind of automatic mirror of requested applications to fetch them and build the needed things on their own systems ?
Just blocking and tell them “yeah please wait few days until we work on that ticket”

It seems I am confusing or missing something…

Anybody knows how to write a Trivy exception in Rego to suppress a specific CloudFormation rule for a specific resource? Kinda new at this.

#Trivy #CloudFormation #Rego

Trivy users: if you’re suddenly seeing trivy timeout when scanning your containers, you’re probably scanning some Java files. Search.maven.org is returning intermittent 504 errors which leads to trivy timeouts. Fix is to include the —offline-scans option in your trivy call. This will still download the trivy db but not go out to maven for Java files.

(In our case, I didn’t even think we were scanning Java but a Ruby gem had a jar file deep in its instant folder that trivy was scanning.)

#appsec #trivy #java

Early Black Friday deal: #cdxgen (#CycloneDX Generator) 5.0.1 is out now with #SBoM support for:
✅ docker/OCI images with OS packages (Powered by #Trivy)
✅ Rust binary (Powered by Cargo Auditable)

https://github.com/AppThreat/cdxgen

Let's learn more about how we can combine these two excellent projects @AquaSecTeam's #Trivy and @projectsigstore tools, to generate and sign #SBOMs 👇 Thanks to @itaysk for sharing such great details with us 🥳

≫ 📸 youtu.be/i_9bV08CTao
≫ 🧵 https://twitter.com/itaysk/status/1588802909327618048

This morning starts with the same problem I had yesterday. A really weird error on #AWS trying to integrate #Trivy with #SecurityHub. According to the documentation it should be very simple -- and it is, except for this #IAM permissions error that is misleading, since I apparently have all possible permissions.
BTW — Is it weird that I feel happier when I spend time fixing technical problems instead of doing things that work first time? 😅

RT @techadvoguy
For those interested in @VMwareTanzu Application Platform (TAP), and custom integration capabilities around image & source code scanners, this is a must-read from the @VRAbbi_IL blog on how one could do this with #Trivy as an example:
https://vrabbi.cloud/post/integrating-trivy-scanner-in-tap/

RT @djerfy@twitter.com

Elasticsearch 8.5.0 est sortie hier, mais cependant restez attentifs. CVE-2020-9488 (log4j-core) + CVE-2021-45105 (log4j-api), et non présent sur la précédente version (8.4.3). Scan #trivy 👍

🐦🔗: https://twitter.com/djerfy/status/1587887597036089344