If your application resides within a Docker container, ShiftLeft CORE can analyze the container in which your app resides for findings that aren't expressly a part of your application and present those results in conjunction with your other findings in the ShiftLeft Dashboard.
You must have:
- Docker installed
- Built your container already (e.g.,
docker build -t heartbleed-docker .)
Including the container in the analysis
To include the container with your analysis, append the following flag and accompanying values to your
sl analyze command:
|The container to include (e.g., |
Generally, any reference that works with
docker run can be used as an argument, including locally available containers like
demoContainer, or the image ID listed in
docker image ls.
If you initiate an analysis of your application with the following:
You can include your application's container in the analysis for findings as follows:
Viewing your results
The summary page for your application provides high-level information regarding your container scan results, including the number of reachable/unreachable vulnerabilities:
You can see a complete list of your container-related findings on the Container tab:
SCA for Containers
On the dashboard, ShiftLeft displays OSS vulnerabilities along with any other findings. See Intelligent Software Composition Analysis (SCA) for information on ShiftLeft's SCA implementation.
In short, ShiftLeft considers a finding to be reachable if an attacker-controlled path connects application inputs to the CVE. The concept of reachability is crucial because it tells you if someone can exploit a vulnerability in your application; if not, you can consider this vulnerability a low priority for mitigation.
At this time, you can only analyze Windows-based containers using Windows machines.