Security Scanning

Scans images and containers as applications are deployed, performing static analysis of vulnerabilities on code and container image levels.

Shipa's security capabilities are structured in the following manner:

  • In regular intervals, Shipa ingests vulnerability metadata from a configured set of sources and stores it in its internal database.
  • Containers are indexed by their images, creating a list of features present in the image and stores them in the database.
  • Shipa queries its database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
  • When updates to vulnerability metadata occur, a notification is sent to alert systems that a change has occurred.
  • At a pre-set interval, Shipa scrubs container images and indexes. Shipa can send out alerts, reports, or block deployments to Shipa environments if any vulnerabilities are matched to identified software packages in the images.

Shipa increases awareness and best security practices across developer and operations teams through automatic detection of vulnerabilities and encourages action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.

Scanning Applications

To scan a specific application image for vulnerabilities, use the app security scan command.

shipa app security scan [-a/--app appname] [--config/-c configfile]

Flags:

Flag

Description

-a, --app

The name of the application

-c, --config

config file (not required)

Listing Application Scans

To list all security scans for a specific application, use the app security list command.

shipa app security list [-a/--app appname]

Flags:

Flag

Description

-a, --app

The name of the application

Application Security Report

To create a report of a security scan for a particular application, use the app security report command.

shipa app security report [-a/--app app-name]

Flags:

Flags

Description

-a, --app

The name of the application

-i

Scan index

Scanning Images

To scan a specific image for vulnerabilities. Use the image security scan command

shipa image security scan imagename [--config/-c configname]

Flags:

Flag

Description

-c, --config

Configuration file (not required)

Listing Image Scans

To list all security scans for a specific image, use the image security list command

shipa image security list imagename

Image Security Report

To create a security scan report, use the image security report command.

shipa image security report imagename -i scanIndex

Flag:

Flag

Description

-i

Scan index


Did this page help you?