Tag Archives: static analysis

Scanning Dockerfiles for security issues + Contributing to semgrep

Recently I had to scan some Dockerfiles to identify potential security issues.  In this case I wanted to use an automatic scanner. Automatic scanners have the problems we know about false positives and false negatives, but depending on the kind of work you want to do and the depth you need, they have a good benefit/effort ratio.

Continue reading

Introduction to dependencyCheck: an open source Software Composition Analysis (SCA) tool

depencencyCheck is an open source dependency security scanner. This kind of tools are also called SCA (Software Composition Analysis).

dependencyCheck identifies which dependencies (aka third party libraries) a software is using and indicates if any of them have known vulnerabilities.

Continue reading