Tutorial: Detecting new vulnerabilities in pull requests
Each change to your codebase can inadvertently introduce new vulnerabilities. The answer isn't to slow or stop shipping but to ensure that your changes are checked for net new vulnerabilities before merging a pull request. This method can be tricky for containerized applications where vulnerabilities can enter in any container layer from the OS to your application.
Vulnerability scanning approaches that look only at the git repo can turn up false positives that are fixed in a later stage of image creation. Similarly, scanning an image without knowing the vulnerabilities that already exist in the target branch makes it very difficult to identify net new vulnerabilities in a pull request.
To address these problems, we recently shipped support for detecting new vulnerabilities introduced in pull requests so that you can find and fix them. We detect new container and dependency vulnerabilities by looking at an image built from the pull request branch and comparing it against the image built from the target branch. This approach gives you an effective way to detect and address new critical vulnerabilities before they hit production.
There are just a few setup steps needed to tie the requisite information together:
- Connect Atomist to your container registry. This connection is used to read and scan images for vulnerabilities. We integrate with ECR, GCR, Docker Hub, and GitHub Container Registry. Just pick your registry and configure it in our app. See the Integration section of the docs for more info.
- Enable container builds on your pull requests. You may already do this, but if not, just turn on support in your particular CI/docker build step to also build on pull requests and push to your registry.
- Link commits to the images built from them. By linking the commit to the image, we can compare the vulnerabilities found in the image built from a pull request branch to the vulnerabilities found in an image built from your target branch (e.g.
main) and report on the diff — vulnerabilities added and removed by the pull request.
An easy way to try it out
To quickly see this in action, we created an in-app tutorial that uses a GitHub Action and the GitHub Container Registry. The use of a GitHub Action and GHCR simplifies the process and uses just one integration — GitHub.
The tutorial takes you through:
- Forking the
- Enabling a GitHub Action in the tutorial repo to build and push the docker image
- Pushing a commit to trigger the image build, publish and vulnerability scan
- Adding a new vulnerability via a new pull request, then see the new vulnerability detected
- Setting an image as the deployed version so that you can also compare vulnerabilities in a pull request to the last deployed version to know if the PR makes things "worse than prod."
Give it a try
Head to https://dso.atomist.com/ and get started with your GitHub ID. Look for the guided tutorial after you've connected your GitHub account.