https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/Recent content in Working with Container Image Scanners onHugo -- gohugo.ioenCopyright (c) 2023 ChainguardMon, 17 Jun 2024 08:49:15 +0000https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/false-results/Thu, 14 Sep 2023 16:59:04 +0000https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/false-results/<p>A <em>vulnerability scanner</em> is a tool that analyzes your software components and reports any <a href="https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/software-security/cves/cve-intro/">CVEs</a> it finds. Using a vulnerability scanner to find CVEs that impact your system is a critical step in <a href="https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/software-security/cves/cve-remediation/">software vulnerability remediation</a>, but as you begin to triage scanner-reported vulnerabilities, you may find that your scanner&rsquo;s results are not perfectly accurate.</p> <p>The goal of a vulnerability scanner is to identify the vulnerabilities that impact your container images, which can be considered <em>true positive vulnerabilities</em>. Sometimes, a scanner surfaces CVEs which are not actually impacting your images, which are called <em>false positive vulnerabilities</em>. Your scanner may even miss some vulnerabilities that are impacting you, termed <em>false negative vulnerabilities</em>.</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/grype-tutorial/Thu, 06 Jun 2024 20:00:00 +0200https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/grype-tutorial/<p><a href="https://github.com/anchore/grype">Grype</a> is a vulnerability scanner for container images and filesystems developed and maintained by <a href="https://anchore.com/">Anchore</a> and written in the Go programming language. Grype can scan from Docker, OCI, Singularity, podman, image archives, and local directory. Grype is compatible with SBOMs generated by <a href="https://github.com/anchore/syft">Syft</a>, and Grype&rsquo;s <a href="https://github.com/anchore/grype-db">vulnerability database</a> draws from a wide variety of sources.</p> <p>Grype is appropriate for one-off detection for manual CVE mitigation and in automated use in CI pipelines. Chainguard maintains a <a href="https://images.chainguard.dev/directory/image/grype/overview?utm_source=cg-academy&amp;utm_medium=referral&amp;utm_campaign=dev-enablement&amp;utm_content=edu-content-chainguard-chainguard-images-working-with-images-scanners-grype-tutorial">low-to-no CVE Chainguard Image for Grype</a> based on our lightweight Wolfi distribution.</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/trivy-tutorial/Wed, 03 Jul 2024 20:00:00 +0200https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/trivy-tutorial/<p><a href="https://github.com/aquasecurity/trivy">Trivy</a> is a vulnerability scanner for a wide variety of software artifacts and deployments. Trivy is written in the Go programming language and is maintained by <a href="https://www.aquasec.com/">Aqua Security</a>. Trivy targets container images, VMs, filesystems, remote GitHub repositories, and Kubernetes and Amazon Web Services deployments. The tool can be used to detect known vulnerabilities (CVEs), generate SBOMs, analyze licenses, and scan for misconfigurations and exposed secrets. Trivy can be installed from <a href="https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/trivy-tutorial/#package-managers">package managers</a> or as a <a href="https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/trivy-tutorial/#binary-installation">binary</a>, and can also be run as a <a href="https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/working-with-scanners/trivy-tutorial/#container-image">container image</a>.</p>