Aqua Blog

Image Vulnerability Scanning

Trivy Can Now Scan Unpackaged Binary Files

Trivy Can Now Scan Unpackaged Binary Files

Trivy, the all-in-one security scanner, is now able to scan binary files in your scan targets such as container images.Most security scanners rely on package managers to discover vulnerabilities. Trivy now uses Rekor from Sigstore to look up the hash of a binary file. If a relevant SBOM is found through the hash, …

Continue reading ›
Find the New OpenSSL Vulnerabilities with Trivy

Find the New OpenSSL Vulnerabilities with Trivy

Today, OpenSSL announced two new CVEs and mitigation recommendations. This blog provides guidance as to how you can identify the Open SSL vulnerability using Trivy. To both identify and mitigate the vulnerability, see this blog post Updated Security Advisory: New OpenSSL Vulnerabilities about mitigation with assurance …

Continue reading ›
Updated Security Advisory: New OpenSSL Vulnerabilities

Updated Security Advisory: New OpenSSL Vulnerabilities

The OpenSSL project has pre-announced a new and critical severity vulnerability, which was downgraded to High as of today, Nov. 1, 2022. The initial pre-announcement blog has been updated here to reflect additional remediation guidance.

Continue reading ›
Trivy: The Universal Scanner to Secure Your Cloud Migration

Trivy: The Universal Scanner to Secure Your Cloud Migration

Application security teams are challenged today with the need for a centralized view of exposure to security issues like Log4j and Spring4Shell. But an exploding set of artifacts and security tools makes it prohibitively difficult to secure the development life cycle. A universal scanner drastically reduces this …

Continue reading ›
Trivy v0.29.0 Release: RBAC, Helm, Custom Extensions, and More

Trivy v0.29.0 Release: RBAC, Helm, Custom Extensions, and More

The new Trivy release is out! As ever, there are tons of exciting updates and features, such as role-based access control (RBAC) and Helm chart scanning, support for custom extensions, a Trivy Operator Lens integration, and many more. Read on for feature highlights and try them out.

Continue reading ›
CVE-2021-44832: New Arbitrary Code Execution Vulnerability in Log4j

CVE-2021-44832: New Arbitrary Code Execution Vulnerability in Log4j

This holiday season, adversaries aren’t taking a vacation, massively exploiting multiple vulnerabilities in Log4j, a highly popular Java logging library. Amid the ongoing efforts of organizations to patch their vulnerable systems, a new Log4j vulnerability, tracked as CVE-2021-44832, has been discovered. It allows for …

Continue reading ›
CVE-2021-45046: Second Log4j Security Vulnerability Discovered

CVE-2021-45046: Second Log4j Security Vulnerability Discovered

Dec 17 update: The CVSSv3 score for CVE-2021-45046 has been raised from 3.7 to 9.0.

While many organizations are still dealing with the discovery and mitigation process for the previous Log4j CVE, the project has announced that another vulnerability CVE-2021-45046 has been discovered due to an incomplete fix in Log4j …

Continue reading ›
CVE-2021-44228 aka Log4Shell Vulnerability Explained

CVE-2021-44228 aka Log4Shell Vulnerability Explained

Log4Shell, a new, critical zero-day vulnerability that crashed onto the scene last Friday, shows how issues that are hidden in seemingly basic functionality can have major repercussions for enterprise security. When the dust settles from the immediate incident response and remediation, organizations should assess how …

Continue reading ›
Golang Scanning with Trivy: Detect Vulnerabilities Accurately

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

A standard piece of security advice is to reduce the size of your container images, usually by using statically compiled binaries in a scratch or distroless container. However, that complicates container vulnerability scanning, because it becomes impossible to determine the versions of software installed in a …

Continue reading ›
What is a CNAPP and How to Choose the Right One

What is a CNAPP and How to Choose the Right One

A prospect’s CISO recently asked me: “I’m facing a growing stream of vulnerabilities coming from our CI/CD pipelines on the one hand, while our SecOps team is flooded with alerts and configuration issues from our production environment. How do I reconcile those separate streams and focus on what’s really important?

Continue reading ›
A Brief Guide to Supply Chain Security Best Practices

A Brief Guide to Supply Chain Security Best Practices

With the rise in attacks targeting the supply chain of cloud native applications, it’s important to understand how you can prepare for and stifle risks that enter your environments through third-party packages and tools. This post outlines the top software supply chain security best practices that should be included …

Continue reading ›