Aqua Blog
Expert insight, best practices and advice on cloud native security, trends, threat intelligence and compliance
Trivy v0.29.0 Release: RBAC, Helm, Custom Extensions, and More

Trivy v0.29.0 Release: RBAC, Helm, Custom Extensions, and More

The new Trivy release is out! As ever, there are tons of exciting updates and features, such as role-based access control (RBAC) and Helm chart scanning, support for custom extensions, a Trivy Operator Lens integration, and many more. Read on for feature highlights and try them out.

Continue reading ›
GitHub Bug Allowed Third-party Apps to Gain Elevated Permissions

GitHub Bug Allowed Third-Party Apps to Gain Elevated Permissions

We learned about a bug in GitHub that for about five days at the end of February allowed third-party applications connected to GitHub to generate new scoped installation tokens with elevated permissions. For example, if you connected the Codecov app to your GitHub account with read-only access to your repositories, …

Continue reading ›
Public Travis CI Logs (Still) Expose Users to Cyber Attacks

Public Travis CI Logs (Still) Expose Users to Cyber Attacks

In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials …

Continue reading ›
Trivy’s Journey Continues: First Unified Scanner for Cloud Native Security

Trivy’s Journey Continues: First Unified Scanner for Cloud Native Security

Over the past few years, the Aqua Trivy scanner has become a must-have tool in many developers’ toolkits, enabling them to easily shift left and secure artifacts before production. With a tremendous community of over 100,000 users and contributors from leading tech companies, Trivy is the most popular open source …

Continue reading ›
Detecting and Analyzing an Apache Struts Exploit with Tracee

Detecting and Analyzing an Apache Struts Exploit with Tracee

When running third-party applications in your cloud environments, you inherently put your workloads at greater risk. This is especially the case when the third-party software exposes some API function to the public web. Apache Struts 2 is a popular open source cross-platform web application framework, used by many …

Continue reading ›
Integrate OSS Container Vulnerability Data with Aqua and Sonatype Nexus

Integrate OSS Container Vulnerability Data with Aqua and Sonatype Nexus

The rise in software supply chain attacks presents a profound challenge to the cornerstone of DevOps practices: the heavy use and reuse of open source software (OSS). Aqua Security extends visibility into risks across the software stack – and helps teams maintain a clear view into their software bills of materials …

Continue reading ›
How Bayad is Securing Payment Collections for the Philippines

How Bayad is Securing Payment Collections for the Philippines

Digital innovation in the finance sector is an incredibly stressful proposition. The terms digital wallet and GDPR both fit into the same sentence; however, even this heavily regulated segment must turn to digital transformation to stay competitive and keep customers loyal. Enter Bayad, the largest multi-channel …

Continue reading ›
Unlimited Container Image Scanning in Docker Desktop with Trivy

Unlimited Container Image Scanning in Docker Desktop with Trivy

A core part of shifting security left is to check your artifacts and their dependencies for vulnerabilities as early in the dev lifecycle as possible. Whether you’re building your own container images or using third-party images, the Trivy Docker Desktop integration allows you to easily scan any container image …

Continue reading ›
Gartner Report for SBOMs: Key Takeaways You Should Know

Gartner Report for SBOMs: Key Takeaways You Should Know

In its recent Innovation Insight for SBOMs report,* Gartner highlights the benefits of using software bills of materials (SBOMs) to secure modern, fast-paced DevOps pipelines. SBOMs shed light on blind spots in the software supply chain by enumerating all proprietary and open source components and enable the effective …

Continue reading ›
Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?

Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?

Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent. Since you …

Continue reading ›
Fortune 1000 CISOs: Active Protection is Key to Cloud Native Security

Fortune 1000 CISOs: Active Protection is Key to Cloud Native Security

What is the CISO approach to securing cloud native applications? Our recent survey of CISOs at Fortune 1000 companies gives a view into their perspectives on the critical security capabilities that allow for speed and agility while reducing friction between teams and preserving business continuity. According to the …

Continue reading ›

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...