Milliways

Security scanning

by Ty Myrddin

Published on April 18, 2022

Snyk as Pycharm extension

None of the tools or underlying databases will catch everything, and security vulnerability scanners that are built for checking Python dependencies are not sufficient for Conda or Docker containers because they only understand Python packages. Conda combines Python dependencies and system packages and basing docker containers on existing containers could open up a can of worms.

Safety

Safety checks installed dependencies for known security vulnerabilities. By default, it uses the open Python vulnerability database Safety DB (updated every month), and can be upgraded to use pyup.io's Safety API (a paid service).

$ safety check

Jake

We need a tool that knows about all the different types of software that end up in the Conda package repositories, beyond just checking Python libraries. Jake supports Conda packages and relies on the Sonatype OSS Index of security vulnerabilities.

$ conda list | jake ddt -c | grep VULNERABLE

Note that omitting that -c, it will give only Python vulnerabilities.

Snyk

Docker scan runs on Snyk engine for checking security state of container images.

To be continued ...


Oh well. Last orders, please. Waiter