Multiple Vulnerability Scanners

You are developing a new application that is hosted in a container and you want to ensure that container images with known vulnerabilities are not deployed to your environment.

Not all vulnerability scanners use the same vulnerability databases and some are more complete than others. How do we ensure we don’t rely on a single source of vulnerability information for discovering and reporting issues?

Vulnerability Scanners come from different vendors and open source teams and as a result, different vulnerability scanners will be updated at different rates. Likewise, different vulnerability scanners use different databases and a specific vulnerability may not be reported in all databases. It is also possible that any particular vulnerability scanner may fail to detect a vulnerability, either because of bugs or because a malware author can attack a vulnerability scanner itself.

Therefore:

Use Multiple Pipeline Vulnerability Scanners such as Clair and the IBM Vulnerability Advisor at multiple points in your pipeline.

The best pattern in such a scenario would be to use an open-source scanner such as Clair as part of your CI/CD pipeline and use a different vulnerability scanner for your image registry.

Applying multiple vulnerability scanners to address deficiencies or blind spots in a single scanner or database is a well-known best practice in the security industry documented in SoftwareSecured. Using multiple vulnerability scanners within your Docker Build Pipeline gives you an increased level of security as there is a reduced risk of vulnerability not being found due a single scanner not being aware of the vulnerability.