Category: Development

Categories
Development

Managing vulnerabilities with Docker images and NuGet packages

I had some docker containers using .NET 6 SDK and ASP.NET and they started reporting security vulnerabilities in the GitHub Action “TwistLockScan”.

It was interesting to see the clear listing of the CVEs (Common Vulnerabilities and Exposures) in the pipeline log of the “TwistLockScan” (Now called Prisma cloud scan) section.

I had to update the .NET 6 image to the latest SDK and the ASP.NET in my Dockerfiles and my critical vulnerabilities were gone.

I had to update the NuGet packages using Visual Studio (I like the simplified interface to view just packages with vulnerabilities) and my moderate vulnerabilities were gone.

How do you mange your CVEs?

Links:

PaloAltoNetworks/prisma-cloud-scan: GitHub action to scan container images with Palo Alto Networks’ Prisma Cloud

microsoft-dotnet-sdk – Official Image | Docker Hub

microsoft-dotnet-aspnet – Official Image | Docker Hub

How to Scan NuGet Packages for Security Vulnerabilities – The NuGet Blog (microsoft.com)

Categories
Development

Technology radar vol. 29 | Tools | Snyk

snyk

Snyk provides both static application security testing (SAST) and software component analysis (SCA) tests to help you find, fix and monitor security issues throughout the software development lifecycle”

Technology radar, Thoughtworks

I like the Technology radar from Thoughtworks. A group of smart people using Technology and creating a stack that they use and recommend what others could consider.

I attended one such meeting in Munich where they presented it and I was hooked.

Ever since, I have kept an eye on it and asked my software teams to see what is relevant and consider it for their stack.

eg: If you are a .NET Developer, the current Technology Radar talks about the “.NET Minimal API”. More about it in a future post! If you are a Python developer, the current Technology Radar talks about Ruff as a linter and so on.

I tested Snyk with my public GitHub repositories and the integration was smooth!

I like the way one can decide which accounts (private or organization) and repositories (public or private) one would like to import.

It reminded me of the Code Analysis feature in Visual Studio but much cooler especially when it keeps an eye on the numerous open source dependencies.

For those who are interested in giving it a run:

Open Source Security Management | SCA Tool | Snyk

And for those interested in the Technology radar:

Technology Radar | An opinionated guide to today’s technology landscape | Thoughtworks