If your application resides within a Docker container, Qwiet preZero can analyze the container in which your app resides for findings that aren't expressly a part of your application and present those results in conjunction with your other findings in the Qwiet Dashboard.
You must have:
- Docker installed
- Built your container already (e.g.,
docker build -t heartbleed-docker .)
Including the container in the analysis
To include the container with your analysis, append the following flag and accompanying values to your
sl analyze command:
|The container to include (e.g., |
Generally, any reference that works with
docker run can be used as an argument, including locally available containers like
demoContainer, or the image ID listed in
docker image ls.
If you initiate an analysis of your application with the following:
sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --wait ./target/hello-shiftleft-0.0.1.jar
You can include your application's container in the analysis for findings as follows:
sl analyze --java --app HelloShiftLeft --vcs-prefix-correction "*=/src/main/java" --container shiftleft/containerName --wait ./target/hello-shiftleft-0.0.1.jar
Viewing your results
The application summary page provides high-level information regarding your container scan results, including the number of reachable/unreachable vulnerabilities.
You can see a complete list of your container-related findings by going to Findings > Containers from the application summary page.
SCA for Containers
On the dashboard, Qwiet displays OSS vulnerabilities along with any other findings. See Intelligent Software Composition Analysis (SCA) for information on Qwiet's SCA implementation.
In short, Qwiet considers a finding to be reachable if an attacker-controlled path connects application inputs to the CVE. The concept of reachability is crucial because it tells you if someone can exploit a vulnerability in your application; if not, you can consider this vulnerability a low priority for mitigation.
Qwiet preZero supports both Linux- and Windows-based containers; however, you can analyze Windows-based containers only using Windows machines at this time.