- Oct 3, 2022
My favorite tools to keep a zero vulnerabilities posture for Constellation
In our last post, we explored how Software Bill of Materials (SBOMs) provide us with a transparent view of all dependencies in Constellation. In this post, we explore how we can use this information to continuously monitor vulnerabilities and upgrade to patched versions as soon as they are available.
Grype is a vulnerability scanner for container images and filesystems. It supports reading SBOMs we've previously generated with Syft. Grype is great for engineers working on Constellation to get the latest vulnerability information.
Dependency Track is a mature vulnerability detection and management system. It is used by many enterprises to keep track of vulnerabilities in their used applications and helps to manage risk in a transparent manner.
Constellation makes it easy for users to get all information right into Dependency Track, using the SBOMs we publish with each release.
Afterward, we can simply create a new project in Dependency Track and import the converted SBOM.
The K8s-related versions are already fixed in Constellation since we have upgraded to the K8s patch version v1.24.6.
Make sure to also import all Constellation container images into Dependency Track to get the full view!
Scanning and analyzing SBOMs is essential for us and our users to stay informed about known vulnerabilities in Constellation and update as soon as possible!
Follow Edgeless Systems, to learn why we also sign our SBOMs using Cosign, in our next post!
- Oct 27, 2022
- Nov 23, 2023