DEV Community

Cover image for 🕵️ About Java Bytecode, native binaries & security (short Grype benchmark)
opt-nc profile image adriens
adriens for opt-nc

Posted on • Edited on

🕵️ About Java Bytecode, native binaries & security (short Grype benchmark)

#security #serverless #kubernetes #devops

❔ Intro

We are currently working on the following topics :

  • Native Docker images delivery through Github Actions, on various registries (mainly GHCR.io and Docker Hub)
  • Java native experience : migration to Spring Boot Native & Quarkus experimentations
  • Security for our Images Continuous Deployment pipeline

🛡️ Security

For our source code & dependencies, we are applying security strategy thanks to Dependabot :

🦾 Dependency management automation with Dependabot
adriens profile

🦾 Dependency management automation with Dependabot

#github #security #maintenance #java
5
Comments
1 min read

...and GitHub Advanced Security for some repositories.

🖕 Controlling Docker images releases

More and more we release and rely on an ever growing set of Docker images.
To make short, as Software Developers and DEVOPS engineers, the ones that interest us currently are :

  • The images we rely on
  • The image we build ourselves (on top of previous ones)

👉 What we want need to be able to do is : to be able to control the security level of the images we are building...

⚠️ And not release them if they do not reach the expected level of security, depending of the target service.

As all services do not have the same criticity, vulnerabilities level may have different impacts on runtime security governance.

👐 Experimentation and solutions

Fortunately anchore provides a set of ready to use tools that helps... a lot :

  • grype (vulnerability scanner for container images and filesystems)
  • syft (CLI tool and library for generating a Software Bill of Materials from container images and filesystems)
  • grype as a Anchore GitHub Action :

👉 So you can easily protect your Continuous Delivery pipeline thanks to the severity-cutoff :

🤔 Bytecode vs. native impact on security

We wanted to give a quick look at if - and so how - native strategy impacts security, discover the grype output below:

🔖 Resources

GitHub logo anchore / grype

A vulnerability scanner for container images and filesystems

Grype logo

Grype

A vulnerability scanner for container images and filesystems.

 Static Analysis + Unit + Integration   Validations   Go Report Card   GitHub release   GitHub go.mod Go version   License: Apache-2.0   Join our Discourse   Follow on Mastodon 

grype-demo

Features

  • Scan container images, filesystems, and SBOMs for known vulnerabilities (see the docs for a full list of supported scan targets)
  • Supports major OS package ecosystems (Alpine, Debian, Ubuntu, RHEL, Oracle Linux, Amazon Linux, and more)
  • Supports language-specific packages (Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust, and more)
  • Supports Docker, OCI, and Singularity image formats
  • Threat & risk prioritization with EPSS, KEV, and risk scoring (see interpreting the results docs)
  • OpenVEX support for filtering and augmenting scan results

Tip

New to Grype? Check out the Getting Started guide for a walkthrough!

Installation

The quickest way to get up and going:

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin
Enter fullscreen mode Exit fullscreen mode

Tip

See Installation docs for more ways to get Grype, including Homebrew, Docker, Chocolatey, MacPorts, and more!

The basics

Scan a container…


View on GitHub


Top comments (2)

Collapse
 
adriens profile image
adriens opt-nc

github.com/anchore/grype/issues/704

Collapse
 
adriens profile image
adriens opt-nc

swype : Catalog packages from source pom.xml during directory scans : github.com/anchore/syft/issues/676