I had some docker containers using .NET 6 SDK and ASP.NET and they started reporting security vulnerabilities in the GitHub Action “TwistLockScan”.
It was interesting to see the clear listing of the CVEs (Common Vulnerabilities and Exposures) in the pipeline log of the “TwistLockScan” (Now called Prisma cloud scan) section.
I had to update the .NET 6 image to the latest SDK and the ASP.NET in my Dockerfiles and my critical vulnerabilities were gone.
I had to update the NuGet packages using Visual Studio (I like the simplified interface to view just packages with vulnerabilities) and my moderate vulnerabilities were gone.
How do you mange your CVEs?
Links:
microsoft-dotnet-sdk – Official Image | Docker Hub
microsoft-dotnet-aspnet – Official Image | Docker Hub
How to Scan NuGet Packages for Security Vulnerabilities – The NuGet Blog (microsoft.com)