This topic gives you an overview of use cases, features, and CVEs for Supply Chain Security Tools (SCST) - Scan.
With Supply Chain Security Tools - Scan, you can build and deploy secure, trusted software that complies with your corporate security requirements. Supply Chain Security Tools (SCST) - Scan provides scanning and gatekeeping capabilities that Application and DevSecOps teams can incorporate early in their path to production as it is a known industry best practice for reducing security risk and ensuring more efficient remediation.
For information about the languages and frameworks that are supported by Tanzu Application Platform components, see the Language and framework support in Tanzu Application Platform table.
The following use cases apply to SCST - Scan:
The following SCST - Scan features enable the Use cases:
CRD
s) for Image and Source Scan.CRD
for a scanner plug-in. Example is available by using Anchore’s Syft and Grype.CRD
for policy enforcement.Although vulnerability scanning is an important practice in DevSecOps and the benefits of it are widely recognized and accepted, remember that there are limits present that impact its efficacy. The following examples illustrate the limits that are prevalent in most scanners today:
One limit of all vulnerability scanners is that there is no one tool that can find 100% of all CVEs, which means there is always a risk that a missed CVE can be exploited. Some reasons for missed CVEs include:
Vulnerability scanners cannot always access the information to accurately identify whether a CVE exists. This often leads to an influx of false positives where the tool mistakenly flags something as a vulnerability when it isn’t. Unless a user is specialized in security or is deeply familiar with what is deemed to be a vulnerable component by the scanner, assessing and determining false positives becomes a challenging and time-consuming activity. Some reasons for a false positive flag include:
So what can you do to protect yourselves and your software?
Although vulnerability scanning is not a perfect solution, it is an essential part of the process for keeping your organization secure. You can take the following measures to maximize the benefits while minimizing the impact of the limits:
Scan more continuously and comprehensively to identify and remediate zero-day vulnerabilities quicker. You can achieve comprehensive scanning by: