What does HackerNews think of trivy?
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Some scanners like trivy [1] can scan statically compiled binaries, provided they include dependency version information (I think go does this on its own, for rust there's [2], not sure about other languages).
It also looks into your containers.
The problem is what to do when it finds a vulnerability. In a fat app with dynamic linking you could exchange the offending library, check that this doesn't break anything for your use case, and be on your way. But with static linking you need to compile a new version, or get whoever can build it to compile a new version. Which seems to be a major drawback of discouraging fat apps.
Aqua Security provides the next generation of Cloud Native security solutions, and open source has been core to our DNA and strategy. Our Open Source team is fully remote worldwide.
- https://github.com/aquasecurity/starboard : Kubernetes security, api-machinery and operators, security tool orchastration.
- https://github.com/aquasecurity/trivy : Vulnerability and misconfiguration scanning, image/packages/code, static analysis.
- https://github.com/aquasecurity/tracee : Runtime security, detect suspicious behavior, Linux and eBPF.
I'm the hiring manager, feel free to DM me on twitter @itaysk if you have questions.
Apply here: https://www.aquasec.com/about-us/careers/co/engineering/81.E...
I will also be looking for an Engineering Manager to join the team soon. Responsibilities include people management, product direction, cross-team collaboration enablement. Need to understand the cloud native and opens source landscape. If you're interested please DM me on Twitter since the job posting isn't up yet.
1, For companies that don’t do any vulnerability discovery, something that warns them that they should check. I usually recommended openCVE but I feel it is still a bit too heavy and the urgency is not clear. Hence RSS focusing on exploited vulns.
2, For companies that already do some scanning (these days I recommend trivy and OpenVAS), end up with 9999 vulnerabilities that they have a hard time triaging them. I believe exploitation and exploit availability are tin the top3 concerns for triage so I was looking for options to enrich the vulnerability data. Could not find anything that would be free and easily added in cicd/cli for exploitation information. I threw in exploit information so one does not need to add 2 things, and this database includes all the sources I had been using before. Hence API that goes for the jugular (https://inthewild.io/api/exploited) and sqlite that anybody could include + minimal python wrapper to document it.
https://www.opencve.io/welcome
But the other complementary approach is to lock down other things - so for example, if you're running in a container, make sure that container can only talk to the proxy in front of it. That way, even if there was some kind of malicious code running in one of the modules, there's no way for any data to get in or out (unless it finds a way of injecting into any web input/output, but then you need to be scanning for that too)
Aqua Security provides the next generation of Cloud Native security solutions, and open source has been core to our DNA and strategy. Our Open Source team is fully remote worldwide.
We are looking for engineers to work on:
- https://github.com/aquasecurity/starboard : Golang, Kubernetes, K8s operator. - https://github.com/aquasecurity/trivy : Golang, OPA, vulnerabilities & Infrastructure as Code scanning.
I'm the hiring manager, feel free to DM me on twitter @itaysk if you have questions.
Apply here: https://www.aquasec.com/about-us/careers/co/engineering/81.E...
Aqua Security provides the next generation of Cloud Native security solutions, and open source has been core to our DNA and strategy. Our Open Source team is fully remote worldwide. We are looking to expand with:
- Open Source Engineer for maintaining https://github.com/aquasecurity/starboard : Golang, Kubernetes, K8s operator.
- Open Source engineer for working on https://github.com/aquasecurity/trivy : Golang, OPA, vulnerabilities & Infrastructure as Code scanning.
I'm the hiring manager, feel free to DM me on twitter @itaysk if you have questions.
Apply here: https://www.aquasec.com/about-us/careers/co/engineering/81.E...
- Golang / Kubernetes engineer for https://github.com/aquasecurity/starboard
- Golang engineer for https://github.com/aquasecurity/trivy
- eBPF/kernel developer for https://github.com/aquasecurity/tracee
I'm the hiring manager, feel free to DM me on twitter @itaysk if you have questions.
Apply here: https://www.aquasec.com/about-us/careers/co/engineering/81.E...
Aqua Security provides the next generation of Cloud Native security solutions, and open source has been a core part to our DNA and strategy. Our Open Source team is fully remote worldwide. We are looking to expand with:
- Golang / Kubernetes engineer for https://github.com/aquasecurity/starboard
- Golang engineer for https://github.com/aquasecurity/trivy
- eBPF/kernel developer for https://github.com/aquasecurity/tracee
I'm the hiring manager, feel free to DM me on twitter @itaysk if you have questions.
Apply here: https://www.aquasec.com/about-us/careers/co/engineering/81.E...