We're managing a multi-cloud environment using AWS and GCP, while keeping a tight grip on our development pipeline. We can't just hand over our code repositories to every tool that claims to filter vulnerabilities smartly. The SCA and CSPM tools we're using are bombarding us with alerts for issues that aren't even exploitable.
For instance, we're getting flagged for packages that aren't actually being used or libraries that are included in the container but don't interact with the runtime at all.
We're looking for ways to cut down the noise from these alerts without compromising our policies (no agents or repo scanning). Has anyone figured out a good approach to this?
6 Answers
If you're shipping libraries that never touch runtime, you might want to evaluate your container setup to create a more minimal image. Strip out any tools and libraries not needed for the final product before packaging your containers.
If you're overwhelmed with alerts, I’d suggest first developing a CVE triage rubric based on your environments. For example, treat production-facing issues as critical, while internal or air-gapped ones can be deprioritized. It's not a perfect solution, but it gives your team a clear method to filter the noise.
We're facing something similar. With a locked-down repo and no agents running in production, we recently participated in beta testing a feature from our CSPM vendor, Orca, that utilizes reachability analysis directly from live containers. It avoids touching the codebase and significantly reduces alert noise—over 90% fewer critical findings we need to manually address.
That sounds interesting! Did they need any invasive runtime tracing or anything like that?
Consider implementing an ADR or RASP setup to monitor runtime behavior and trace the stack. Also, it's essential to eliminate any unnecessary dependencies where possible.
To reduce the volume of alerts, cut back on the scan scope. We shifted from scanning every single container image in our registry to only those that are actually deployed and exposed, which halved the alert volume. We haven’t missed any critical vulnerabilities this way.
Right now, we're evaluating several CNAPP solutions. Prisma has solid inventory management but lacks reachability capabilities. I heard Orca is adding features like reachability analysis that don't require access to our repos or builds, so we might make the switch if that goes live soon.
That could really ease our process! Let me know how your evaluation goes.
Yeah, we’re kind of managing this issue on an ad hoc basis right now.