Improve container scanning to include other potential vulnerabilities

Release notes

Our current container scanning process primarily focuses on vulnerabilities in packages installed through package managers. While this approach catches many issues, it leaves significant security gaps that could be exploited.

Problem to solve

Container scanning should not be limited to checking only the package management system. This narrow focus misses potential vulnerabilities in:

1. Pre-compiled binaries
2. Manually installed software
3. Custom scripts and configuration files
4. Vulnerabilities introduced in intermediate layers

Proposal

Implement a multi-faceted scanning approach that includes:

• Full Filesystem Scan: Scan all files within the container, not just those managed by package systems.
• Binary Analysis: Implement tools that can analyze pre-compiled binaries for known vulnerabilities.
• Layer-by-Layer Analysis: Scan each layer of the container independently to catch vulnerabilities that might be obscured in the final image.
• Script and Configuration Analysis: Implement scanning for misconfigurations or vulnerable patterns in scripts and config files.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)-->

Feature Usage Metrics

n/a

Does this feature require an audit event?

not sure