Security Scans

Enclave can perform Security Scans of your Docker images using Appcanary.

What is Scanned?

Security Scans look for vulnerable OS packages installed in your Docker images on supported Linux distributions:

  • Debian / Ubuntu: Security Scans scan for packages installed using dpkg or its apt-get frontend.
  • CentOS: Security Scans scan for packages installed using rpm or its frontends yum and dnf.
  • Alpine Linux: Security Scans scan for packages installed using apk.

In particular Security Scans do not scan for:

  • Packages installed from source (e.g. using make && make install).
  • Packages installed language-level package managers such as bundler, npm, pip, yarn, composer etc. (but Appcanary does provide support for some of these, which you can integrate yourself fairly easily).

Accessing Scans

Scans are available in two ways:

  • Ad-hoc scans via the Aptible Dashboard: navigate to the Security Scans tab on an App and review the list of vulnerabilities.
  • Automated scans via Appcanary: sign of for Appcanary, then contact Aptible Support with your key to enable automated scans. Your apps will be registered with Appcanary and scanned on every deploy. You’ll receive notifications when new vulnerabilities are identified.

Be mindful that ad-hoc scans may not be sufficient to satisfy audit requirements for vulnerability management. For this use case, you’ll want automated scans instead.