add Check for known vulnerabilities

wurstbrot · wurstbrot · commit 67e30e58811f · 2021-01-15T08:27:51.000+01:00
diff --git a/data/TestandVerification.yml b/data/TestandVerification.yml
@@ -676,6 +676,19 @@ Dynamic depth for infrastructure:
       - 14.2.3
       - 14.2.8    
 Static depth for infrastructure:
+  Test of virtualized environments:
+    risk: Virtualized environments (e.g. via <i>Container Images</i>) might contains unsecure configurations.
+    measure: Test virtualized environments for unsecured configurations.
+    difficultyOfImplementation:
+      knowledge: 2
+      time: 1
+      resources: 2
+    usefulness: 3
+    level: 2
+    implementation:
+      - <a href="https://github.com/wagoodman/dive">Dive to inspect a container images</a>
+      - Cluster Scanner (will be open sourced soon) to check different aspects
+    samm2: v-security-testing|A|1
   Test the definition of virtualized environments:
     risk: The definition of virtualized environments (e.g. via <i>Dockerfile</i>) might contains unsecure configurations.
     measure: Test the definition of virtualized environments for unsecured configurations.
@@ -802,6 +815,21 @@ Static depth for infrastructure:
     iso27001-2017:
       - 12.6.1
       - 14.2.5
+  Check for known vulnerabilities:
+    risk: Known vulnerabilities in infrastructure components like container images might get exploited.
+    measure: Check for known vulnerabilities
+    difficultyOfImplementation:
+      knowledge: 2
+      time: 1
+      resources: 1
+    usefulness: 4
+    level: 4
+    implementation:
+      - https://github.com/aquasecurity/trivy
+      - Registries like quay, dockerhub provide (commercial) offerings, often not suiteable for distroless images
+    samm2: v-security-testing|A|2
+    iso27001-2017:
+      - 12.6.1
   Check for new image version:
     risk: When a new version of an image is available, it might fixes security vulnerabilities.
     measure: Check for new images of containers in production.
