Skip to content

Dependency Scanning

Aptori software composition analysis (SCA) finding vulnerabilities in dependencies used by an application. The aptori/scanners container image contains the tool, so you can easily incorporate the dependency scanner into your CI/CD pipeline. The dependency scan result includes a list of vulnerable packages, the complete SBOM, and recommended changes to upgrade the vulernable packages and fix the vulnerabilities.

Prerequisites

  • Asset ID of a Repository

    • To get the asset ID of an Repository, navigate to Projects in the Aptori Platform. On the tile of the Repository asset, open the Settings by click the three dots menu and choosing Settings. The asset ID is displayed inthe popup window.
    • To create a Repository asset, navigate to Projects in the Aptori Platform. At the top of the page, click "Add +" > "Add a Repository". Select the Project to which the Repository belongs and enter a name for the Repository.

  • Platform Key

    • To create a Platform Key, navigate to Keys in the Aptori Platform.

Running on a local repository path

With container runtime CLI tools such as Docker or nerdctl, you can run aptori/scanners on a local copy of your source code repository. For example, from the root directory of the source code, use Docker CLI to run a dependency scan:

docker run --rm -v "${PWD}:/src" \
    -e APTORI_PLATFORM_KEY={{Your Platform Key}} \
    aptori/scanners sgen \
    --asset-id {{Your Asset ID}} \
    --dir /src"

Running in CI/CD

Performing a dependency scan in a CI/CD pipeline is easy with the aptori/scanners container. We recommend you use CI/CD variables to store details like the Platform Key and Asset ID.

GitLab example

In the following GitLab example, a job named aptori-dependency-scan is defined to run on commits made to the default branch of the repository. The job expects the following CI/CD variables to be defined in the GitLab repository settings.

  • APTORI_PLATFORM_KEY
  • APTORI_ASSET_ID
stages:
  - test

# Scan dependencies for known vulnerabilities using Aptori.
# Requires variables to be defined: APTORI_PLATFORM_KEY, APTORI_ASSET_ID
aptori-dependency-scan:
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  stage: test
  image: aptori/scanners
  script:
    - sgen --asset-id ${APTORI_ASSET_ID} --dir .

CircleCI example

In the following CircleCI example, a job named aptori-dependency-scan is defined to perform a dependency scan on the source code of the repository. The job expects the following Environment Variables to be defined in the Project Settings.

  • APTORI_PLATFORM_KEY
  • APTORI_ASSET_ID
version: 2.1
jobs:
  aptori-dependency-scan:
    # Scan dependencies for known vulnerabilities using Aptori Scanners.
    # Requires variables to be defined: APTORI_PLATFORM_KEY, APTORI_ASSET_ID
    docker:
      - image: aptori/scanners
    steps:
      - checkout
      - run:
          name: Run Aptori dependency scan
          command: sgen --asset-id ${APTORI_ASSET_ID} --dir .
workflows:
  build-and-test:
    jobs:
      - aptori-dependency-scan

Command Reference

The dependency scan command has the following syntax:

sgen --asset-id id {--dir directory | --image image | --tar tarfile} [OPTIONS]

Value for asset-id is required, and one of the target options is required. Environment variable APTORI_PLATFORM_KEY is required. Environment variable APTORI_PLATFORM_URL or flag --platform may be used to set which Platform is sent the result. Use sgen --help for more options.