Deepfactor's Correlation Capabilities

Deepfactor can scan your artifacts (container images / file system directories) to generate SBOM and find SCA vulnerabilities. Deepfactor can also observe running containers / non-containerized applications to detect runtime risks. The unique capability Deepfactor provides is that it can correlate the results of the scan and runtime observation so you get

1. An unified view of your application's security posture
2. Additional information so you can priortize which vulnerabilities to fix earlier than others.

How does Deepfactor correlate artifacts with running applications/workloads?

For container images, Deepfactor correlates based on the image ID. When a container is run using Deepfactor either using docker run or using K8s, Deepfactor attempts to get the image ID of the container that is being run. Deepfactor then shows the results of the scan performed on the image with the same image ID on the application and component dashboard. Hence it is important for Deepfactor to fetch the image ID of the running container to correlate results of the static scan. In K8s, Deepfactor deploys a scan pod which pulls the image's manifest from the registry to get the image ID. If you are using private registries, you will need to provide the registry credentials as a K8s secret to enable the scan pod to pull the image manifest. 

For file system scans, Deepfactor relies on the user to provide the same application name, component name and version for static scans and observing running applications. In other words, please pass the same application name, component name and component version to both dfctl scan and dfctl run commands so Deepfactor understands that the same artifact is being scanned and run and it can correlate results for you.

Example:

- Artifact: mydir/pythonapp (path to application code)

- Application: backend

- Component: pythonapp

- Version: 1.0

Static scan :

 dfctl scan -s fs -a "backend" -c "pythonapp" -V "1.0" mydir/pythonapp

Runtime instrumentation:

dfctl run -a "backend" -c "pythonapp" -V "1.0" -v --cmd python run.py

Since the same application name, component name and version were passed to dfctl scan and dfctl run commands, Deepfactor can correlate results found in the two operations.

Correlation Insights

This section outlines some of the areas where Deepfactor correlates results from static scan and runtime observation.

• SBOM, SCA and alert correlation
  If you have scanned the artifacts that were observed using Deepfactor, you will see the results of the scan (SBOM & SCA) in the application dashboard as shown in the screenshots below.
  
  
  
  
  
  
  
  
  
  

• Workloads
  
  On the artifact page, you will see the list of all the components that use the same artifact. This gives you visibility in the usage of a particular artifact (container image/source) in your deployed applications.

  
  
  

• Usage
  
  One of the key advantages of Deepfactor's correlation technology is that you can priortize which vulnerabilities to fix before others. As for SCA findings, usage of a certain dependency in your running application, can be a vital metric to priortize upgrading the dependency if it has vulnerabilities associated with it. Deepfactor shows you which resources within the artifact were actually used when the application was running.