Concepts

Vulnerability Scanning

Automated process of identifying known vulnerabilities in code, dependencies, containers, and infrastructure before they reach production.

seed#vulnerability#scanning#security#sast#sca#trivy

What it is

Vulnerability scanning automatically identifies known security weaknesses in code, dependencies, and configurations. It's an essential component of DevSecOps.

Scan types

TypeWhat it analyzesWhen
SASTSource codePre-commit, CI
SCADependenciesCI, scheduled
ContainerDocker imagesCI, registry
IaCTerraform, CloudFormationCI
DASTRunning applicationStaging, prod

Tools

CategoryWhat it scansToolsPhase
SASTSource codeSemgrep, SonarQube, CodeQLPR / build
SCADependenciesSnyk, Dependabot, TrivyPR + daily
ContainerContainer imagesTrivy, Grype, ECR scanningImage build
IaCInfrastructure as codeCheckov, tfsec, KICSPR / plan

CI/CD integration

- scan-dependencies: snyk test
- scan-code: semgrep --config auto
- scan-container: trivy image myapp:latest
- gate: fail if critical vulnerabilities

Why it matters

Automated vulnerability scanning is the first line of defense against compromised dependencies and insecure container images. Integrated into the CI/CD pipeline, it detects issues before they reach production.

References

  • Trivy — Multi-purpose scanner.
  • Snyk — Security platform.
  • Trivy — GitHub — Aqua Security, 2024. Scanner source code and documentation.
Concepts