Reworded to be container-centric; running scan at push stage

NASA-AMMOS · Aug 2, 2024 · 20ab000 · 20ab000
1 parent 0be593d
commit 20ab000
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 9 deletions.
diff --git a/...ides/software-lifecycle/security/dependency-vulnerability-scanning/.pre-commit-config.yml b/...ides/software-lifecycle/security/dependency-vulnerability-scanning/.pre-commit-config.yml
@@ -6,4 +6,5 @@ repos:
         description: Scans for dependency vulnerabilities. Fails if CRITICAL vulnerabilities detected.
         entry: python -c "import os; import subprocess; import sys; os.environ['GRYPE_DB_AUTO_UPDATE'] = 'false'; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL level vulnerabilities found. To address issues, run scan via `grype dir:.`, then `git add` followed by `git commit` your fix or ignore via `git commit --no-verify`') if result.returncode != 0 else print('No CRITICAL level vulnerabilities found.'); sys.exit(result.returncode)"
         language: system
-        verbose: true
+        verbose: true
+        stages: [pre-push]
diff --git a/...guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx b/...guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx
@@ -2,15 +2,15 @@
 import CodeBlock from '@theme/CodeBlock';
 import PreCommitConfigSource from '!!raw-loader!./.pre-commit-config.yml';
 
-# Dependency Vulnerability Scanning
+# Container Vulnerability Scanning
 
-<pre align="center">A guide to scanning packaged software dependencies and container images for security vulnerabilities both manually and automatically.</pre>
+<pre align="center">A guide to scanning containers and container repositories for security vulnerabilities both manually and automatically.</pre>
 
 ![banner-image](/img/vulnerability-scanning-screen.png)
 
 ## Introduction
 
-**Background**: To maintain the integrity and security of your applications in production environments, it's essential to monitor dependency vulnerabilities. Third-party software dependencies can harbor security vulnerabilities. This guide focuses on utilizing Grype, an open source vulnerability scanner, to proactively detect vulnerabilities in dependencies defined within packages and container images.
+**Background**: To maintain the integrity and security of your containers in production environments, it's essential to monitor dependency vulnerabilities. Third-party software dependencies can harbor security vulnerabilities. This guide focuses on utilizing Grype, an open source vulnerability scanner, to proactively detect vulnerabilities in dependencies defined within container images as well as generally within repositories that use package managers.
 
 **Use Cases**:
 - Scanning container images for vulnerabilities during the development phase
@@ -39,15 +39,31 @@ import PreCommitConfigSource from '!!raw-loader!./.pre-commit-config.yml';
 grype dir:.
 ```
 
-**⬇️ [.pre-commit-config.yml](.pre-commit-config.yml)**
+**Run a local scan of a Docker image using Grype**
+
+First, build the Docker image:
+```bash
+docker build -t my-app:latest .
+```
+
+Then, scan the built Docker image:
+```bash
+grype my-app:latest
+```
+
+**⬇️ [Grype Scanning .pre-commit-config.yml](.pre-commit-config.yml)**
 
 Download the file above to access the pre-commit configuration file, which includes an example hook for Grype vulnerability scanning. This file should be placed within your local Git repository after installing the pre-commit framework.
 
+**⬇️ [Grype GitHub Action](https://github.com/marketplace/actions/anchore-container-scan)**
+
+GitHub Action for Grype vulnerability scanning. 
+
 ---
 
 ## Step-by-Step Guide
 
-### Step 1: Setup Automated Local Scanning of Container Vulnerabilities
+### Step 1: Scan Locally for Container Vulnerabilities
 
 1. Ensure Grype is installed on your system. You can install Grype from [the official repository](https://github.com/anchore/grype).
 
@@ -61,7 +77,19 @@ Download the file above to access the pre-commit configuration file, which inclu
     grype dir:.
     ```
 
-3. If you find vulnerabilities, fix them via your package manager. 
+3. To scan a Docker image, first build the Docker image:
+
+    ```bash
+    docker build -t my-app:latest .
+    ```
+
+4. Then, perform a scan of the built Docker image:
+
+    ```bash
+    grype my-app:latest
+    ```
+
+5. If you find vulnerabilities, fix them via your package manager. 
 
 ### Step 2: Setup Automated Local Scanning of Container Vulnerabilities
 
@@ -81,7 +109,7 @@ The below steps, once enacted, will ensure that any local `git commit` actions t
    pre-commit install
    ```
 
-4. Grype-based vulnerability scanning should run every time a `git commit` is invoked. The commit will be blocked if CRITICAL level vulnerabilities are found and will ask the developer to fix them prior to committing. 
+4. Grype-based vulnerability scanning should run every time a `git push` is invoked. The push will be blocked if CRITICAL level vulnerabilities are found and will ask the developer to fix them prior to committing. Otherwise a report will be provided for reference. 
 
 ### Step 3: Set Up Automated Repository Scanning
 
@@ -109,7 +137,6 @@ A: Yes, you can incorporate scans into your CI/CD pipeline or utilize other repo
 
 A: Grype relies on free and open software vulnerability databases whereas GitHub's Dependabot may be using proprietary methods. In our testing, we've found some non-overlapping vulnerabilities that are sometimes found in one tool but not the other.
 
-
 ---
 
 ## Credits