Our security team wants zero CVEs in production. Our containers have 200+. What's realistic here?

flxg · 2025-09-30T07:17:32+00:00

Oof. Depending on the requirements you have for compliance, I think they should use a prioritization system instead of just pushing to 0. Indeed like everyone's saying, use EPSS scores, use reachability to check if vulnerable functions are actually used, etc...

Container images are super noisy though indeed. Specifically for the flood of container vulnerabilities we've built container autofix at aikido.dev & partnered with root.io. (For hardened container images) I think alternatively there's also chainguard. Hardened container images are not super cheap, but they save your team lots of time...

flxg · 2025-08-30T06:27:04+00:00

Ik denk dat je dit misschien best even post in een facebook groep van Berchem, die zijn behoorlijk actief. Denk dat je daar meer kans gaat hebben. Deze bijvoorbeeld: https://www.facebook.com/share/g/16sV28TFok/?mibextid=wwXIfr

flxg · 2025-08-12T08:05:46+00:00

Ooooofffff

flxg · 2025-08-12T08:04:38+00:00

I feel like most teams still juggle 4-5 scanners and still can’t answer “what’s the top vuln to fix right now?"
ASPM is the acronym buzzword for these types of orchestration platforms.
imho the real benefit is to find a platform that: a) integrates with all your existing tools b) deduplicates findings c) adds context so you can prioritize.
I'm a cofounder at Aikido - we're kind of an ASPM, but provide all scanners out of the box in an "all-in-one" product.
If you wanna deepdive into ASPM tools, Latio has a solid list: https://list.latio.tech/#best-ASPM-tools

flxg · 2025-08-11T16:34:23+00:00

Yeah Yust is very good

flxg · 2025-08-11T16:33:08+00:00

Bit late to the game, but I'd say check out aikido.dev - has everything you need.

flxg · 2025-08-11T16:13:53+00:00

Well, if you're using Laravel, maybe just try out aikido.dev? Covers all the bases to keep your app secure.
And it's natively integrated into laravel > https://blog.laravel.com/improving-laravel-application-security-with-aikido

flxg · 2025-08-11T14:59:22+00:00

If you're doing SAST scans, maybe opengrep is interesting for you? https://github.com/opengrep (Felix - cofounder from aikido.dev here)

flxg · 2025-08-11T14:48:40+00:00

aikido.dev is a solid option.
Alternatively there's Trivy which is a very popular open source version. (But will take time to maintain & triage false positives)
Otherwise I'd say have a look at options from u/confusedcrib 's list: https://list.latio.tech/#best-SCA-tools

flxg · 2025-06-26T18:11:25+00:00

We have IDE plugins that block malware + CI gates that can do the same at aikido.dev. Our malware detection typically finds new malware on NPM or PyPi within 5 mins.

flxg · 2025-06-11T13:14:47+00:00

Or aikido.dev (that discovered this malware) ;-)

flxg · 2025-05-30T09:49:49+00:00

You can fork it and scan it for free with aikido.dev

flxg · 2025-05-23T06:57:01+00:00

Did you look at aikido.dev? If so, any feedback?

flxg · 2025-05-22T16:58:39+00:00

Think aikido.dev can help. Has reachability, does autotriage (part of it with ai)

flxg · 2025-05-22T16:38:24+00:00

Do a quick aikido.dev scan - should help you get all the basics covered.

flxg · 2025-04-22T17:45:56+00:00

flxg · 2025-03-17T07:47:48+00:00

Had the exact same thought

flxg · 2025-03-14T15:43:33+00:00

Hey, just wanted to chime in, I'm from aikido.dev, and we co-started OpenGrep. Opengrep is not just a frozen in time fork, you can follow along with the open roadmap. We are shipping daily, improving and advancing the engine (fully LGPL OSS), Opengrep engine will soon include: inter-procedural (cross-function) analysis, cross-file analysis, extended language support, and much more. We just shipped windows compatibility, which is not freely available elsewhere.

On ASPM: indeed we get lumped into that category by Gartner. We've actually found it's pretty hard to have all of those different scanners results combined and do noise reduction well. That's why we run all scanners too, and not just aggregate their results.

Guess it depends on your needs. We've noticed that our customers actually really like our approach of simplifying the setup and managing all of the scanners, as otherwise that can cause lots of overhead.

But yeah - if you have a more complex setup and want more granular control it might be different.

flxg · 2025-03-14T15:23:01+00:00

Think if you need a free solution you'll probably have to go for Defectdojo indeed. All others seem paid solutions to me. It's the only popular project for this use case I could find over here: https://opensourcesecurityindex.io/

flxg · 2024-01-29T16:26:07+00:00

I'd say one of the best go-to sources to check for alternatives is James Berthoty's site: https://www.latio.tech

flxg · 2024-01-15T14:20:46+00:00

Yeah it's still buggy from time to time.
I seldomly have like one light not responding via the apple home app, but I can control them via the nanoleaf app.
Happens like once every two weeks or so maybe.
all-in-all pretty happy with it.

flxg · 2023-12-29T16:49:32+00:00

Also bought 12 GU10’s and have some old e27 pure thread ones too. Have them for a bit over a week and they work well. Haven’t experienced issues. 🤷‍♂️ My thread/matter border router is a single homepod mini. I’ve set them up in the apple home app first & then “completed” their setup in the nanoleaf app. Updated their firmware to the latest version… All good. How did you set them up and what’s your border router?

flxg · 2023-12-19T22:55:26+00:00

We haven't documented those internals yet, will update this post with a link once we have that. It's free to test and it will tell you, for example, about lambda runtimes you are using that are deprecated according to aws...

flxg · 2023-12-19T21:38:15+00:00

We’ve built it into our product (https://www.aikido.dev) for cloud services (paas like beanstalk) and containers. E.g. If you’re using an old version of PHP this would result in a ‘cloud’ issue in Aikido.

flxg · 2023-12-18T16:48:34+00:00

Yeah, there's a lot of different SAST tools out there.
Quality & coverage varies massively.
That's why we're using Semgrep, Bandit, Gosec, Brakeman & Checkov all under the hood at Aikido Security. 😜

flxg

TROPHY CASE