vet VS trivy

I am working on a next-gen software composition analysis tool that can identify malicious open source packages through code analysis. Adopts a policy as code (CEL) approach to build security guardrails against risky OSS components using opinionated policies.

GitHub: https://github.com/safedep/vet

Our free and open source tool vet is integrated with the SafeDep Cloud Package Scanning Service and can be used to detect malicious packages before they are installed. vet-action is a GitHub Action that can be used to establish proactive guardrails against malicious open source packages in your GitHub Actions workflows.

Explore about SafeDep on GitHub - https://github.com/safedep/vet

Not sure if it’s relevant because you specifically mentioned about B2C.

For cyber security product, we took the open source route. We build our core technology in public as open source project.

https://github.com/safedep/vet

The commercial SaaS is for scaling and management. Our entire funnel is based on OSS. Folks who have already found value and is looking to scale their deployment.

This model works for us especially at our current stage where we are 100% engineering led.

May be try out vet as well: https://github.com/safedep/vet

vet is backed by a code analysis engine that performs malicious package (npm, pypi etc.) scanning. We recently extended it to support GitHub repository scanning as well.

It found the malicious behaviour in mcp-servers-example/bad-mcp-server.js

➡️ https://github.com/safedep/vet

Malicious code in open sources is real and people get hacked due to it as we have seen with changed-files incident, ultralytics hack and multiple such incidents. vet now supports identification of malicious OSS packages through active code analysis.

I think the conventional approach of checking for vulnerabilities in 3rd party dependencies by querying CVE or some other database has set the current behaviour i.e. if its not vulnerable it must be safe. This implicit trust on vulnerability databases has been exploited in the wild to push malicious code to downstream users.

I think we will see security tools shifting towards "code" as the source of truth when making safety and security decision about 3rd party packages instead of relying only on known vulnerability databases.

Take a look at vet, we are working on active code analysis of OSS packages (+ transitive dependencies) to look for malicious code: https://github.com/safedep/vet

Trivy Security scanning tool

Trivy (scan for vulnerabilities): https://github.com/aquasecurity/trivy

That particular structure hasn't really taken off, but the general idea of having unique-ish token formats that can be mapped back to a provider is becoming more popular.

Trivy has a pretty good collection of examples that is used for its secret scanning functionality, https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/se....

Software Bill of Materials (SBOM): Knowing what’s in your software is the new cool. Tools like Syft and Trivy can generate SBOMs as part of your CI/CD pipeline, enhancing supply chain security.

Trivy: security scanner for IaC and dependencies

Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.

Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.

Since I'm working on a Windows machine, I went straight to the Trivy website (https://aquasecurity.github.io/trivy/) to download the latest release. The official website is the best place to get the latest version of Trivy. This direct approach gives me more control over the installation process.