For our Enterprise Customers we have an additional feature called "Bulk DeepScan". Actually this is not much different to what you know from DeepScan: It will clone the repository of the component referred to and will assess each file for the defined goals:
- legal information contained in any file
- copyright remarks
- crypto algorithms used
- fingerprinting of files and their segments to identify re-use of known code (e.g. to protect from unwanted copies.
- malware
The goals can be defined when starting the scan. DeepScan is an open source SCA tool and is included into TrustSource's ts-scan. You may run a trial without the need of any installation or registration using the public service or, if you already registered at TrustSource, go to INBOUND > REPOSITORIES. The latter allows also to scan private repositories.
Automating Scans
In combination with ts-scan, ts-deepscan can be used to scan the files of the components used in a build. This allows a high degree of automation, as ts-scan will be used to determine the transitive list of components used for the build and then ts-deepscan will start downloading the corresponding repositories and pull the sources of the versions found. These will then be assessed on file-level for the defined assessment goals.
This sort of automation is a gorgeous thing: It allows to compile a list and pass only this list to the scanner. The scanning service will take care of the scanning. In the first approaches we were using an SBOM separator, singeling out each entry of the SBOM and pushing it into a queue. DeepScan then pulls the tasks from the queue. One of our pilot customers pushed a 2,736 entries SBOM as test case. It took 1.5 days but it delivered.
AWS scaleout
To overcome such "denial of service" blockades, we developed on the one hand a multi-threading version, allowing to handle several components in parallel. But we also introduced a scale-out feature. This Scale-out feature allows you to define the number and size of resources used by yourself. It
However, this can be very time and resource intensive. To allow each customer to support his own speed requirements, we developed the Bulk-DeepScan feature. This allows you to auto-scale DeepScan in your own virtual private cloud. All you will need is an AWS account. All settings will be made automatically on by TrustSource. This scanning has several benefits:
- You can scan all components of your solution on file level, which will increase security and compliance to the highest level possible
- You do not need to worry about setting up tools, managing failures or other operational challenges. This will all be handled by TrustSource. Just mark the scan that should be lined for review and press a button. TrustSource will take care for the heavy lifting:
- Access your account
- initialise as many instances as defined
- build the queue with all SBOM members
- download the sources
- execute the scans
- collect the results
- handle errors
- downsize all systems after the job is done
- inform you about the updates
- This is especially interesting, if you want to scan your own sources. The Scaleout option allows you to use the TrustSource automations in your own ground. Thus, your source code will not have to leave your sphere of influence.
If you are interested in making use of this scaling feature, please let contact support @ trustsource.io.
Comments
0 comments
Article is closed for comments.