Scanner Registry Modules¶
BoostSecurity supports several scanner modules that are available through the BoostSecurity module registry. Any of the scanner modules can be easily configured as part of your Continuous Integration (CI) to scan your code or artifacts resources for vulnerabilities. The scanners are available for different security categories, such as:
- Source Code Scanning (SAST)
- Software Composition Analysis (SCA)
- Container Scanning
- Software Bill of Materials (SBOM)
The list of supported scanners is growing continuously, so check the What's New section for new scanners being released.
In the tables below, the column Pull Request Flow indicates whether the scanner module can be configured to scan in pull request flow. Scanner modules that don't support the pull request flow are meant to be configured to scan on the main branch's flow.
- Some scanners require environment variables that need to be configured in order, for example, to scan generated artifacts. For example, for container image scanning.
- The scanner requires the image name to scan to be set in an environment variable.
- The tables below include a column for configuration, indicating whether environment variables are required to be set.
Container Image Scanning¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Trivy Image | boostsecurityio/trivy-image | no | BOOST_IMAGE_NAME | The Trivy module scans container images for vulnerabilities, using the trivy tool with command image. Note that the Trivy module uses environment variable BOOST_IMAGE_NAME to know which image to scan. The continuous integration (CI) workflow calling the Trivy module needs to do so after the container image was built and by setting the environment with the image name to scan. |
Example¶
Assuming that you're using GitHub Actions, add the following stanza to the action where you would like to scan an image:
- name: trivy-image
uses: boostsecurityio/boostsec-scanner-github@v4
with:
registry_module: boostsecurityio/trivy-image
api_token: ${{ secrets.BOOST_API_TOKEN }}
env:
BOOST_IMAGE_NAME: xxxxxxxx
Software Bill of Materials¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Trivy SBOM | boostsecurityio/trivy-sbom | no | - | The Trivy module for SBOM collects the components inventory from source code using the trivy CLI tool. |
| Trivy SBOM for container images | boostsecurityio/trivy-sbom-image | no | BOOST_IMAGE_NAME | The Trivy module for SBOM collects the components inventory from container images using the trivy tool. The environment variable BOOST_IMAGE_NAME must be set with the container image name to scan. The continuous integration (CI) workflow calling the Trivy module needs to do so after the container image is built and by setting the environment with the image name to scan. |