Open Source Vulnerability Scanning
Overview
Bridgecrew scans open source modules used in your software and alerts you to vulnerabilities before deployment by CI/CD pipelines.
This scan is based on our vulnerability database which is enriched by Prisma cloud security’s Unit 42 researchers and many more open sources for known vulnerabilities and exposures. This allows Bridgecrew to detect vulnerabilities that were only recently disclosed, and even those that have been quietly patched.
Enabling Open Source Vulnerability Scanning
Open Source modules are scanned automatically if your integrated repository contains a supported package manager file.


Scan Results
Alerts found during open source module scanning appear in Projects and in the Checkov CLI.
To filter for open source vulnerabilities on the Projects page, select vulnerabilities and search for package files.


For each vulnerability the following details are shown:
- CVE identifier
- CVSS (CVE score)
- Vulnerability description
- Link to CVE report
- Name of the package relevant to this CVE
- Version of the package relevant to this CVE
- Severity
- Indication if a fix is available


Risk Factors Explained
For each vulnerability found, Bridgecrew supports the following risk factors, that can help you identify the context of the issue better:
- Remote execution — Vulnerability can be exploited to run arbitrary code.
- DoS — Component is vulnerable to denial of service attacks, such as buffer overflow attacks, ICMP floods, and so on.
- Recent vulnerability — Vulnerability was reported in the current or previous year.
- Exploit exists — Code and procedures to exploit the vulnerability are publicly available.
- Attack complexity: low — Vulnerability is easily exploited.
- Attack vector: Network — Vulnerability is remotely exploitable. The vulnerable component is bound to the network, and the attacker’s path is through the network.
- Reachable from the internet — Vulnerability exists in a container exposed to the internet.
Remediation
Remediation of open source vulnerabilities is done by bumping the package version.


Notes on Fixing Vulnerabilities in Open Source Modules
- All CVEs found in the same package are included in a single error.
- Each CVE may require a different version for remediation.
- By default, Bridgecrew bumps the package to the lowest version that successfully fixes all of the CVEs in the package.
- If you want to bump to a version that is only partially compliant (for example to avoid impacting code dependent on the module), you can deselect from the fix CVEs that require a higher version number than you want to bump to.
Package Manager Types Supported
Currently, Bridgecrew supports scanning of open source modules for these package managers: Python, Java, Go, and JavaScript (Node.js).
Language/Package Manager | File Types |
---|---|
Java (Gradle) | build.gradle |
Java (Maven) | pom.xml |
Python (pip) | req*.txt |
JavaScript + typescript (NPM) | package-lock.json |
GO | go.sum |
Updated 3 months ago