🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
GuidesRisks MitigationContainer Scanning

Container Scanning

ℹ️

DevGuard performs continous container scanning to identify vulnerabilities in your project’s container images after your first scan (based on SBOM).

Handling Found Flaws: Practical Steps for Mitigation

When DevGuard’s container scanning detects vulnerabilities, such as the example provided below, it’s essential to address them promptly to maintain security and compliance. Here’s a step-by-step guide to manage identified flaws.

Example Flaw
# CVE-2022-41903
 
Git is distributed revision control system. git log can display commits in an arbitrary...
 
## Affected component
 
The vulnerability is in `pkg:deb/debian/git@2.39.5-0+deb12u1`, detected by the `container-scanning` scan.
 
## Recommended fix
 
Upgrade to version 1:2.39.1-0.1 or later.

Where to Look

The Dockerfile of the container is typically the starting point for analysis. This file defines the container’s base image and specifies instructions for building the containerized application. Vulnerabilities often originate from the base image or additional packages installed during the build. Your dependencies will be checked in the “Software Composition Analysis” (SCA) step.

Steps to Fix

Check the Base Image

Examine the base image specified in the Dockerfile. For example:

Update the Base Image or Switch to Distroless

If the base image contains the vulnerability and a direct update is possible:

  • Update the base image: Replace the current base image with a patched version.

If the base image cannot be updated or you’re looking to minimize attack surface:

  • Switch to a distroless base image: Use distroless images, which contain only the runtime essentials, reducing potential vulnerabilities.

Example multi-stage, distroless build:

Dockerfile
# Step 1 - Build the application
FROM golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31 as build
WORKDIR /go/src/app
COPY . .
RUN go mod download
RUN CGO_ENABLED=0 go build -o /go/bin/app /go/src/app/cmd/scanner
 
# Step 2 - Create the final image
FROM gcr.io/distroless/static-debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea
USER 53111
COPY --from=build /go/bin/app /
EXPOSE 8080
 
CMD ["/app"]

Manually Update Vulnerable Packages

If reproducibility is not a strict requirement or the base image cannot be updated: Use the package manager during the build to patch the specific vulnerability. Example for Debian-based containers:

Dockerfile
RUN apt-get update && apt-get install --only-upgrade git -y

Disclaimer: This approach may hinder reproducibility, as future builds may result in different package versions if repositories change.

Alternative Measures

If none of the above fixes are feasible:

  • Risk Acceptance: Temporarily accept the risk using DevGuard’s risk management feature.

    • Document the accepted risk by providing a justification. Use the UI or slash commands in the issue.
    • Set a reminder for future review; DevGuard will automatically notify you after a predefined period.

  • Avoidance: Disable risky functionality or service.

Software Composition Analysis(SCA)ISO 27001