Context: This is used to share my TOC of a new best practice so I can solicit feedback and ideas before start writing. From my experience, this makes the writing experience much easier and shorter. And fun.
Title: Scan all docker image layers for vulnerabilities
Thoughts? improvement? Help me to make it better
This is definitely a good recommendation, but there are different approaches on how to solve this:
The benefit of the last one is that you can implement and replace without touching the source code. And that you can use several tools at the same time. The downside is that is not part of the build itself, you need to set a specific task as part of the build/deploy process.
Be aware that there are some tools that allow you to reduce Docker images like distroless. As this tools remove all that is non essential, they will destroy every shred of possible usable information to detect a CVE.
@gonrial You just made this bullet much better, I'm updating the TOC.
My thoughts:
A build-time scanner (Microscanner) is an inferior option. Why:
Question - Any features we want to emphasize besides OS-level CVE, code CVE, secrets leak? Are you familiar with some famous OS-level CVE?
Thoughts?
p.s. If you want to right this bullet, be my guest...:)
Closing as the matching PR is merged #718
Most helpful comment
This is definitely a good recommendation, but there are different approaches on how to solve this:
The benefit of the last one is that you can implement and replace without touching the source code. And that you can use several tools at the same time. The downside is that is not part of the build itself, you need to set a specific task as part of the build/deploy process.
Be aware that there are some tools that allow you to reduce Docker images like distroless. As this tools remove all that is non essential, they will destroy every shred of possible usable information to detect a CVE.