I'm overseeing a multi-cloud setup with AWS and GCP, and our development pipeline is pretty secure. However, I'm facing a challenge with our SCA and CSPM tools that are bombarding us with alerts, many of which are about non-critical issues. For instance, we're receiving alerts for packages that aren't being called or libraries that exist in container images but don't impact runtime. I'm looking for ways to minimize this noise while maintaining our security policies, which means no agents or repository scanning. I'm wondering if anyone has found effective solutions to this issue?
2 Answers
If you're getting alerts for libraries that never get used, you might want to consider using a more streamlined container. It's worth checking if you really need all those libraries in your containers, or if you can remove unnecessary ones before you deploy.
We faced similar challenges and recently tested a beta feature from our CSPM vendor, Orca. They offer reachability analysis, which checks only the live containers for what's actually executed without accessing your code. It has drastically cut down our critical alerts—over 90% fewer that we need to manually dismiss!
That sounds interesting. Did this feature require any invasive runtime tracing?