Simplify Cloud Native Security with Trivy

Transcript

1. © 2022 Aqua Security Software Ltd., All Rights Reserved Teppei

   Fukuda / August 5th, 2022 Simplify Cloud Native Security with Trivy CloudNative Security Conference 2022

2. Teppei Fukuda Open Source Team, Aqua Security @knqyf263 @knqyf263 2

3. 3 Overview of Cloud Native Security Where to start How

   Trivy helps Summary Agenda

4. 4 App Infra Run Build Deploy Code CD Artifact registry

   Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI The Application Development Lifecycle

5. 5 App Infra Run Build Deploy Code CD Artifact registry

   Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime

6. 6 Cloud Native Application Protection Platforms (CNAPP) Dev Ops Sec

   Artifact Scanning Cloud Configuration Runtime Protection Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms SAST/DAST API scanning Secrets scanning Malware scanning Software Composition Analysis (SCA) Infrastructure as Code scanning Network Configuration and Security Policy Cloud Infrastructure Entitlements Mgmt Kubernetes Security Posture Management (KSPM) Cloud Security Posture Management (CSPM) Web Application and API Protection Application Monitoring Cloud Workload Protection Platform (CWPP) Network Segmentation Workload Vulnerability/Config

7. 7 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

   Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools

8. 8 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

   Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools Where to start…?

9. 9 App Infra Run Build Deploy Code CD Artifact registry

   Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime

10. 10 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Which stage to secure

11. 11 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Network Configuration Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native development Handle Attack

12. 12 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Build

13. 13 Preventing vulnerable artifacts from deploying Scan cloud deployments for

    security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Deploy

14. 14 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Prevent Detect Block

15. 15 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Deploy Build

16. 16 Shifting Left High Low Priority Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

17. 17 Why shifting security left matters https://cloud.google.com/blog/products/identity-security/shift-left-on-google-cloud-security-invest-now-save-later

18. 18 Invest early, save later Dev SCA IaC Scanning SAST/DAST

    Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Still too much

19. 19 https://www.darkreading.com/vulnerabilities---threats/missing-patches-misconfiguration-top-technical-breach-causes/d/d-id/1337410

20. Number of known vulnerabilities 20 •Log4Shell •Spring4Shell •ProxyShell •ProxyLogon •ZeroLogon

21. 21 https://www.trendmicro.com/vinfo/pl/security/news/virtualization-and-cloud/data-on-123-million-us-households-exposed-due-to-misconfigured-aws-s3-bucket https://www.darkreading.com/attacks-breaches/misconfigured-elasticsearch-instance-exposes-more-than-5-billion-records/d/d-id/1337368 https://www.computerweekly.com/news/252435544/Unprotected-Kubernetes-consoles-expose-firms-to-cryptojacking Misconfiguration-Caused Breach

22. 22 Start with Patch & Misconfiguration Scanning Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

23. 23 What's Trivy? The Swiss Army Knife for Security Scanning

    • Started as a vulnerability scanner for container images • Joined Aqua Security in 2019 https://github.com/aquasecurity/trivy

24. 24 Highlights Comprehensive Security Issues Easy Setup High Accuracy

25. 25 Vulnerability Scanning • Alpine Linux • Debian • Python

    • Go • Java • etc.

26. 26 Scan filesystem for vulnerabilities $ trivy fs [YOUR_PROJECT_DIR]

27. $ trivy fs ./myproject Pipfile.lock ============ Total: 9 (UNKNOWN: 1,

    LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential | | | | | | | SQL injection via | | | | | | | StringAgg(delimiter) | + +------------------+----------+ +------------------------+------------------------------------+ | | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address | | | | | | | allows account takeover | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ 27 Scan your project including a lock file with "filesystem" or "fs" subcommand Scan filesystem for vulnerabilities

28. 28 Scan git repository $ trivy repo [REPOSITORY_URL] e.g. $

    trivy repo github.com/aquasecurity/tracee

29. 29 Infrastructure as Code (IaC) scanning • Terraform • CloudFormation

    • Kubernetes • Helm chart • Dockerfile

30. 30 Misconfiguration scanning $ trivy fs --security-checks config [YOUR_PROJECT_DIR]

31. 31 Misconfiguration scanning

32. 32 Helm chart scanning Demo

33. 33 Custom policies package user.kubernetes.ID001 import lib.result __rego_metadata__ := {

    "id": "ID001", "title": "Deployment not allowed", "severity": "LOW", "description": "Deployments are not allowed because of some reasons.", } __rego_input__ := { "selector": [ {"type": "kubernetes"}, ], } deny[res] { input.kind == "Deployment" msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name]) res := result.new(msg, input) } OPA/Rego

34. 34 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Build Developer Security

35. 35 Visual Studio Code and JetBrains https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner

36. 36 Scan container images for vulnerabilities Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

37. 37 Container image scanning $ trivy image [YOUR_IMAGE_NAME]

38. 38 Example $ trivy image alpine:3.10.7 2021-07-13T18:16:52.490+0300 INFO Detected OS:

    alpine 2021-07-13T18:16:52.490+0300 INFO Detecting Alpine vulnerabilities... alpine:3.10.7 (alpine 3.10.7) ============================= Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0) +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.30.1-r4 | 1.30.1-r5 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | +------------+------------------+----------+-------------------+---------------+---------------------------------------+

39. 39 • OS packages • Debian / Ubuntu • Red

    Hat Enterprise Linux / CentOS • Alpine Linux • Amazon Linux • Oracle Linux • openSUSE / SUSE Enterprise Linux • Photon OS • Google Distroless • AlmaLinux / Rocky Linux • CBL-Mariner • Language-specific packages • Ruby • PHP • Python • JavaScript / Node.js • Rust • Java • Go • .NET Detect comprehensive vulnerabilities

40. Integrations

41. 41 Continuous Integration (CI)

42. 42 GitLab

43. Harbor 43 https://goharbor.io/blog/harbor-2.0/

44. 44 Azure Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd

45. 45 Rancher Desktop https://github.com/rancher-sandbox/rancher-desktop/releases/tag/v0.4.0

46. 46 https://blog.aquasec.com/container-image-scanning-docker-desktop-with-trivy Docker Extensions (Docker Desktop)

47. 47 Key Takeaways Top Technical Breach Causes Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Invest early, save later

48. 48 Hard-coded secrets scanning • AWS Access Key ID /

    Secret Access Key • GCP Service Account • GitHub Personal Access Token • Slack Access Token • etc.

49. 49 Secret scanning Enabled by default $ trivy image [YOUR_IMAGE]

    $ trivy fs [YOUR_PROJECT_DIR]

50. 50 Optimization FROM debian:8 RUN apt-get update COPY mysecret.txt /

    ENTRYPOINT ["entrypoint.sh"] CMD ["somecmd"] Secret scanning is quite slow No need to scan

51. 51 License classification • Forbidden • Restricted • Reciprocal •

    Notice • Etc. https://opensource.google/documentation/reference/thirdparty/licenses

52. 52 License scanning (compliance) $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL alpine:3.15 2022-07-13T17:28:39.526+0300 INFO License scanning is enabled OS Packages (license) ===================== Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0) !"""""""""""""""""""#"""""""""#""""""""""""""""#""""""""""$ % Package % License % Classification % Severity % &"""""""""""""""""""'"""""""""'""""""""""""""""'""""""""""( % alpine-baselayout % GPL-2.0 % Restricted % HIGH % &"""""""""""""""""""( % % % % apk-tools % % % % &"""""""""""""""""""( % % % % busybox % % % % &"""""""""""""""""""( % % % % musl-utils % % % % &"""""""""""""""""""( % % % % scanelf % % % % &"""""""""""""""""""( % % % % ssl_client % % % % )"""""""""""""""""""*"""""""""*""""""""""""""""*""""""""""+

53. 53 Extended license scanning $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana 2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled Loose File License(s) (license) =============================== Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2) !""""""""""""""""#""""""""""#""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Classification % Severity % License % File Location % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Forbidden % CRITICAL % AGPL-3.0 % /usr/share/grafana/LICENSE % % % % % % % % % % % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Non Standard % UNKNOWN % BSD-0-Clause % /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % % % % &""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % % % % /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % )""""""""""""""""*""""""""""*""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+ Scan license files and file headers (--license-full)

54. 54 Trivy covers more Dev SCA IaC Scanning SAST/DAST Fuzzing

    Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

55. 55 Kubernetes cluster scanning # cluster scanning $ trivy k8s

    --report summary cluster # namespace scanning: $ trivy k8s -n kube-system --report summary all # resources scanning: $ trivy k8s deployment/orion

56. 56 Summary Report

57. 57 Detailed Report

58. 58 Trivy covers more and more Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

59. 59 AWS scanning $ trivy aws Coming soon (v0.31.0)

60. 60

61. 61

62. Advanced

63. Software Bill of Materials (SBOM) generation 63 Support three formats

    •CycloneDX (--format cyclonedx) •SPDX (--format spdx, --format spdx-json) •GitHub Dependency Snapshots (--format github) $ trivy image --format cyclonedx [YOUR_IMAGE] https://cyclonedx.org/ https://spdx.dev/ https://docs.github.com/en/rest/dependency-graph/dependency-submission

64. SBOM scanning 64 $ trivy image --format cyclonedx --output alpine.cdx.json

    alpine:3.15 $ trivy sbom alpine.cdx.json alpine.cdx.json (alpine 3.7.1) ============================== Total: 3 (CRITICAL: 3) !"""""""""""""#""""""""""""""""#""""""""""#"""""""""""""""""""#"""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Library % Vulnerability % Severity % Installed Version % Fixed Version % Title % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % curl % CVE-2018-14618 % CRITICAL % 7.61.0-r0 % 7.61.1-r0 % curl: NTLM password overflow via integer overflow % % % % % % % https://avd.aquasec.com/nvd/cve-2018-14618 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % libbz2 % CVE-2019-12900 % CRITICAL % 1.0.6-r6 % 1.0.6-r7 % bzip2: out-of-bounds write in function BZ2_decompress % % % % % % % https://avd.aquasec.com/nvd/cve-2019-12900 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % sqlite-libs % CVE-2019-8457 % CRITICAL % 3.21.0-r1 % 3.25.3-r1 % sqlite: heap out-of-bound read in function rtreenode() % % % % % % % https://avd.aquasec.com/nvd/cve-2019-8457 % )"""""""""""""*""""""""""""""""*""""""""""*"""""""""""""""""""*"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+

65. Attestation 65 •Authenticated metadata about a set of software artifacts

    •Provenance •A container image with digest "sha256:87f7fe…" from git commit "f0c93d…" •SBOM •Formats •In-toto attestation { "payloadType": "application/vnd.in-toto+json", "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1l bnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwOi8vbXkuZ XhhbXBsZS5jb20vYXV0aG9yIiwic3ViamVjdCI6W3sibmFtZS I6ImluZGV4LmRvY2tlci5pby9vdG1zNjEvaGVsbG8tMSIsImR pZ2VzdCI6eyJzaGEyNTYiOiIyMGQzZjY5M2RjZmZhNDRkNmIy NGVhZTg4NzgzMzI0ZDI1Y2MxMzJjMjIwODlmNzBlNGZiZmI4N Tg2MjViMDYyIn19XSwicHJlZGljYXRlIjp7ImF1dGhvciI6In Nhc28ifX0=", "signatures": [ { "keyid": "", "sig": "MEQC++c7F1czPr...CKdBdjq+If/g67Q==" } ] } https://github.com/in-toto/attestation

66. Trivy Operator 66 •Automated vulnerability scanning for Kubernetes workloads. •Automated

    configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies. •Custom Resource Definitions and a Go module to work with and integrate a range of security scanners. •The Lens Extension that make security reports available through familiar Kubernetes interfaces.

67. Dependency Origin Tree (Node.js) 67

68. trivy.yaml 68 $ cat << EOS > trivy.yaml timeout: 20m

    format: json dependency-tree: true list-all-pkgs: true exit-code: 1 output: result.json severity: - HIGH - CRITICAL scan: security-checks: - vuln - secret vulnerability: ignore-unfixed: true EOS $ trivy image YOUR_IMAGE

69. 69 Client/Server Server ᶃ Download vulnerability DB Client ᶄ Pull

    layers Cache ᶇ Store cache ᶅ Analyze ᶆ Send layer information ᶈ Respond vulnerabilities Container Registry

70. 70 Open Policy Agent (OPA) Integration Rego --ignore-policy Detected Vulnerabilities

    OPA Result * EXPERIMENTAL feature KubeCon Europe 2020 https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf

71. 71 WebAssembly Module * EXPERIMENTAL feature $ trivy module install

    ghcr.io/ aquasecurity/trivy-module-spring4shell $ trivy image ghcr.io/aquasecurity/ trivy-test-images:spring4shell-jre8 OCI Registries Inspect Tomcat Configuration...

72. 72 Audit Your Software Supply Chain for CIS Compliance •

    The CIS Software Supply Chain Security Guide • Aqua Security and the Center for Internet Security (CIS) collaborated • Provides more than 100 foundational recommendations • Support key emerging standards like Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). https://github.com/aquasecurity/chain-bench

73. 73 Simplify Cloud Native Security with Trivy Covered by Dev

    SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack

74. © 2022 Aqua Security Software Ltd., All Rights Reserved Thanks