I've recently taken over a DevOps team after the previous leader's abrupt departure. It seems like they overlooked the fact that Bitnami now has a paid model, and I'm left to figure this out. We're currently using various open-source images like Python, ArgoCD, and Istio, and while we're scanning for vulnerabilities with Trivy, we're getting flooded with irrelevant alerts. I'm looking for a tool that can deal with vulnerability fatigue, integrate well into our CI/CD pipeline, and keep the team happy. Also, are companies just accepting the costs of their base images on Bitnami while managing vulnerabilities themselves? If not, what tools are you all using? Our team has around 50 developers and 5 in DevOps, including me.
8 Answers
While it can be a bit pricey, we use an org-level universal registry with built-in security features that help cut through the noise. It supports multiple platforms like npm, Python, and Docker which makes it easier for us. Combining Trivy, Renovate, and Grype could work well until you're ready to invest in more advanced tools.
If budget allows, consider options like Echo, Google Distroless, or RHEL. Red Hat has a project called Hummingbird that might be worth looking into as well.
What's your ultimate goal here? Most security scanners basically check version numbers against vulnerability databases, which isn't that helpful. I’ve had success keeping things updated with Renovatebot – it might be all you really need!
I started using Echo for container images a few months back to reduce the number of vulnerabilities, and it helped a lot with the Bitnami issue too. It's not free, but it cuts down on the unnecessary noise from Trivy that's probably wasting your time. Just swap your old base images for Echo's. Also, how did your old boss miss this change?
Check out distroless images for better security. I believe that scanning isn’t all that useful unless you get a third-party solution. Focus on your software supply chain and any code vulnerabilities instead.
Grype is a solid open-source scanner if you just need something functional. Secure base images are the best approach, of course. Docker might be releasing their own tool in this space, but I’m not sure if it’s out yet.
Consider Snyk; it integrates well with CI/CD and manages vulnerabilities effectively. It might help reduce alert fatigue, but it won't solve everything.
I'm a fan of using base images that are secure by design. If you have good base images, many problems will take care of themselves. Echo is a solid option to consider.
Thanks for that tip! I'm looking to minimize alerts and focus on development. I'll definitely check out Renovatebot!