My team recently faced a significant issue with our Node.js microservices being infected by malicious packages via transitive dependencies that we weren't even aware of. This problem was uncovered by our Software Bill of Materials (SBOM) tooling, but unfortunately, it happened after our images had already been built and tagged. We are dealing with some legacy base images that come with numerous known vulnerabilities, making it easy for serious threats to get lost in the clutter. I spent a ton of time last week trying to map out which services were impacted since our dependency graphs are so tangled. We definitely want to avoid a repeat of this disaster. Has anyone found an effective way to block these types of infections at build time without disrupting the CI pipeline?
6 Answers
I found this script that you can run before package installation. It might help catch some of these issues early: https://github.com/Dpr1815/phantomraven-hunter.
To cut down on the noise, you could focus on prioritizing CVEs that are included in the Known Exploited Vulnerabilities (KEV) list. This should help you manage the risks a lot better.
Consider deploying something like Safe Chain. It’s designed to enhance security for your dependencies.
A solid approach is to restrict dependencies right before the CI process starts. We utilize Artifactory for this purpose. The key idea is to stop bad packages at download time rather than dealing with them post-image build.
Veracode has a really useful firewall that can block malicious packages, and it even helps identify which ones are safe. It might be worth reaching out to them to see if this could be an option for your setup. Their Software Composition Analysis (SCA) tool also shows which parts of your inventory might have issues.
You might want to check out Datadog's GuardDog utility. With the right configuration, it should be able to catch these kinds of attacks effectively.
That sounds promising! It would definitely help streamline our security process.