Pivotal Cloud Foundry Support

 View Only

 How to scan open source libraries of an image file system.

Abu Rajib's profile image
Abu Rajib posted Jun 26, 2019 09:46 PM

I am to scan all the third party libraries that is being used for a certain droplet. Does PCF do this? If I want to do it on my end, how do I do this? Essentially, I am looking at to get a staged file system so that I can run a scan to find and detect any vulnerabilities for all the open source libraries being used. Thanks.

Daniel Mikusa's profile image
Daniel Mikusa

Pivotal internally scans stemcells, root file systems (the base image for apps created by using buildpacks) and monitors for security issues in dependencies provided by buildpacks (i.e. OpenJDK, Ruby, Node.js, Golang, etc...). If you're staying up-to-date with your updates, then you should automatically get patches for known vulnerabilities in these areas of the product.


PCF does not have built-in support for scanning droplets that have been produced or for scanning dependencies that are pulled in through an application dependency management system (i.e. Maven, Gradle, Nuget, Pip, NPM, Bundler, etc...), but I believe that we have partners that provide this functionality. Pivotal does not recommend any specific provider, and you can see the list of them on our documentation, look at the "Identity and Security" section.


Hope that helps!