Skip to main content

Skillber v1.0 is here!

Learn more

Vulnerability Scanning

Checking access...

Vulnerability scanning is the automated process of identifying security weaknesses in systems, applications, and networks. It is the foundation of any vulnerability management program.

Types of Vulnerability Scans

1. Authenticated vs. Unauthenticated

AspectUnauthenticatedAuthenticated
AccessNo credentials — external viewCredentials provided — full internal view
VisibilityOpen ports, services, bannersOS version, installed software, missing patches
False negativesHigh — misses internal vulnerabilitiesLow — sees the full picture
Network impactLowModerate (credentialed checks use more resources)
Best forExternal perimeter assessmentInternal patch compliance, configuration audit
Terminal window
# Unauthenticated scan with nmap
nmap -sV -sC -p- 10.0.0.0/24
# Authenticated scan with Nessus (via API)
curl -X POST "https://nessus.example.com/scans" \
-H "X-ApiKeys: accessKey=KEY; secretKey=SECRET" \
-d '{
"uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658",
"settings": {
"name": "Authenticated Scan — Linux Servers",
"enabled": true,
"launch": "ONETIME",
"text_targets": "10.0.1.0/24",
"credentials": {
"ssh": {
"username": "scanuser",
"password": "scanpassword",
"sudo": true,
"elevate_privileges": true
}
}
}
}'

2. External vs. Internal

AspectExternalInternal
PerspectiveInternet attackerInternal user/employee
What it findsExposed services, WAF bypass, SSL issuesMissing patches, local privilege escalation
FrequencyWeekly (critical), monthly (standard)Monthly (critical), quarterly (standard)
RegulatoryPCI DSS: quarterly external + after changesPCI DSS: quarterly internal + annual

3. Network vs. Application vs. Container

Network Scanning:
└─ Finds: Open ports, running services, outdated protocols
└─ Tools: Nessus, Qualys, OpenVAS, nmap
└─ Frequency: Weekly for critical, monthly for standard
Application Scanning (DAST):
└─ Finds: SQLi, XSS, CSRF, authentication flaws
└─ Tools: OWASP ZAP, Burp Suite, Acunetix
└─ Frequency: Every build in CI/CD + quarterly full scan
Container Scanning:
└─ Finds: Vulnerable base images, malware in images
└─ Tools: Trivy, Clair, Snyk, Docker Scout
└─ Frequency: Every image build, before deployment

CVSS Scoring

The Common Vulnerability Scoring System (CVSS) provides a numerical score (0-10) for vulnerability severity.

CVSS v3.1 Metrics

Base Score Metrics:
└─ Attack Vector (AV): Network, Adjacent, Local, Physical
└─ Attack Complexity (AC): Low, High
└─ Privileges Required (PR): None, Low, High
└─ User Interaction (UI): None, Required
└─ Scope (S): Unchanged, Changed
└─ Confidentiality (C): High, Low, None
└─ Integrity (I): High, Low, None
└─ Availability (A): High, Low, None
Score Ranges:
└─ 0.0: None
└─ 0.1-3.9: Low
└─ 4.0-6.9: Medium
└─ 7.0-8.9: High
└─ 9.0-10.0: Critical

CVSS calculation example — Log4Shell (CVE-2021-44228):

Attack Vector: Network (0.85)
Attack Complexity: Low (0.77)
Privileges Required: None (0.85)
User Interaction: None (0.85)
Scope: Changed (1.0)
Confidentiality: High (0.56)
Integrity: High (0.56)
Availability: High (0.56)
Base Score: 10.0 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Scanning Frequency

Recommended Scan Frequency:
High-Risk Assets (Internet-facing, PII, critical infrastructure):
└─ External scan: Weekly
└─ Internal scan: Weekly
└─ Container scan: Every build
└─ Web app DAST: Every deployment
└─ Configuration scan: Continuous (CSPM)
Medium-Risk Assets (Internal systems, non-PII):
└─ External scan: Monthly
└─ Internal scan: Monthly
└─ Container scan: Weekly
└─ Web app DAST: Monthly
Low-Risk Assets (Development, test, isolated):
└─ External scan: Quarterly
└─ Internal scan: Quarterly
└─ Container scan: Per release
└─ Web app DAST: Per release

False Positive Management

False Positive Sources:
└─ Scanner misidentifies service version (banner grabbing inaccuracies)
└─ Vulnerability present but not exploitable in context
└─ Compensating control mitigates the risk (e.g., WAF blocks SQLi)
└─ Scanner lacks context (e.g., reports missing patch but server is container)
FP Handling Process:
1. Scan runs → vulnerability reported
2. Analyst reviews finding + context
3. Determines: True positive, False positive, or Accepted risk
4. Document decision in ticketing system
5. Update scanner with exception (if applicable)
6. Re-verify on next scan cycle
FP Rate Targets:
└─ Initial scan: 30-50% false positive rate (expected)
└─ After 3 months tuning: < 15% false positive rate
└─ Mature program: < 10% false positive rate

Tools Comparison

FeatureNessus ProQualysOpenVASRapid7
Price$3,000/year (5 IPs)$0.15/IP/yearFree$3,000/year
Auth scanningExcellentExcellentGoodExcellent
Compliance checksCIS, PCI, HIPAACIS, PCI, HIPAALimitedCIS, PCI, HIPAA
Container scanningYesYesNoNo
Web app scanningBasicYes (WAS)NoYes (AppSpider)
APIREST APIREST APIXML-RPCREST API
False positive rateLowLowModerateLow
DeploymentOn-prem/CloudCloudOn-premOn-prem/Cloud

Key Takeaways

  • Authenticated scanning provides significantly better coverage than unauthenticated — internal view shows installed software, missing patches, and configuration issues that external scanning misses
  • CVSS scores provide a standardised severity rating but have limitations — they measure technical severity, not business risk
  • High-risk assets (internet-facing, PII) need weekly scanning at minimum — low-risk can be quarterly
  • False positives are inevitable but manageable — a mature program achieves < 10% FP rate through systematic triage and tuning
  • Container scanning must be integrated into the CI/CD pipeline — scanning running containers is too late
  • PCI DSS mandates quarterly external and internal scans plus scans after significant changes
  • Vulnerability scanning is a foundation but cannot find everything — combine with penetration testing for business logic flaws
  • Modern scanning tools provide APIs for automation — integrate scanner output with SIEM, ticketing, and patch management

Scanning in CI/CD Pipelines

Integrating vulnerability scanning into CI/CD shifts detection left — finding issues before they reach production:

Pipeline Scan Stages

Commit Stage (per commit, <5 minutes):
└─ IaC scanning: Checkov scans Terraform/CloudFormation for misconfigurations
└─ Container base image scan: Trivy scans Dockerfile FROM image
└─ Dependency scan: Snyk/Grype scans package.json, requirements.txt, pom.xml
└─ SAST: Semgrep scans source code for vulnerabilities
Build Stage (per build, <10 minutes):
└─ Container image scan: Trivy/Grype scans the built container
└─ SBOM generation: Syft generates CycloneDX SBOM
└─ Secret scan: TruffleHog/Gitleaks scans for hardcoded secrets
Deploy Stage (per deployment):
└─ DAST: OWASP ZAP scans the deployed staging environment
└─ Compliance scan: InSpec/Chef Compliance checks against CIS benchmarks
└─ External scan: Temporary cloud-based scanner tests from external perspective
Production (continuous):
└─ Feed scan results to SIEM for correlation with other events
└─ Monitor for new CVEs affecting deployed software versions (SCA continuous monitor)
└─ Agent-based scanning (CSPM agents on cloud workloads)

CI/CD Integration Example (GitLab CI)

vulnerability-scan:
stage: test
script:
# Container scan with Trivy
- trivy image --severity CRITICAL,HIGH --exit-code 1 $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
# Dependency scan with Grype
- grype dir:. --only-fixed --fail-on high
# Generate SBOM
- syft dir:. -o cyclonedx > sbom.cdx.json
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependency_scanning: gl-dependency-scanning-report.json

Container Scanning Deep Dive

Containers present unique scanning challenges because they bundle an entire OS + application stack:

What Container Scanners Check

LayerWhat’s CheckedExample Finding
Base imageOS packages (apt, yum, apk)CVE-2024-xyz in libssl.so (Ubuntu 22.04)
Application dependenciesnpm, pip, maven, go modulesPrototype pollution in lodash@4.17.20
ConfigurationInsecure defaults, hardcoded secretsApplication running as root; DB password in env var
File permissionsWorld-readable sensitive files/etc/shadow has 0644 permissions
MalwareKnown malware signaturesCrypto miner binary detected in image layer

Container Scanning Tools Compared

Tool | Speed | Depth | Formats | Integrations
------------|---------|---------|-----------------------------|---------------------
Trivy | Fastest | Good | Container, FS, Repo, SBOM | Docker, K8s, CI/CD
Grype | Fast | Good | Container, FS, SBOM | Docker, K8s, CI/CD
Clair | Medium | Good | Container | Quay, CoreOS
Snyk | Medium | Best | Container, FS, IaC, Code | All major platforms
Anchore | Medium | Best | Container, SBOM | Docker, CI/CD
Docker Scout | Fast | Good | Container | Docker Hub, CLI

CI/CD Container Scan Gate

Terminal window
# Fail the build if critical vulnerabilities are present
# (that have a fix available)
trivy image \
--severity CRITICAL,HIGH \
--exit-code 1 \
--ignore-unfixed \
my-app:$BUILD_TAG
# Generate detailed report
trivy image \
--format sarif \
--output trivy-results.sarif \
my-app:$BUILD_TAG

Compliance Scanning

Vulnerability scanners also provide compliance checks against industry benchmarks:

CIS Benchmark Scanning

Terminal window
# Nessus CIS compliance scan
# Policy: CIS Microsoft Windows Server 2022 Benchmark
# Runs 200+ checks against the target
# OpenSCAP — open-source compliance scanner
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results scan-results.xml \
--report scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# InSpec — compliance as code
inspec exec cis-windows-server-2022-baseline \
-t winrm://Administrator@target-host \
--reporter html:inspec-report.html

Compliance Framework Mapping

FrameworkRequired Scan TypeFrequencyMax Acceptable Risk
PCI DSS v4.0External + Internal network scansQuarterly + after changesCVSS < 4.0 (or documented compensating control)
HIPAARisk analysis (includes scanning)Annual + after changesAll findings must be addressed or accepted
SOC 2Vulnerability scanningQuarterlyDefined in organisation risk appetite
ISO 27001Vulnerability scanningMonthly + after changesAll critical/high findings must be remediated
NIST 800-53Continuous monitoring + scanningMonthlyRA-5: scan findings addressed per severity SLA

Vulnerability Scanning Metrics

Key Metrics to Track:
└─ Scan coverage: % of assets scanned in the last 30 days
Target: > 95% of all assets
└─ Mean time to scan: Time from scan trigger to results available
Target: < 4 hours for standard scan, < 1 hour for critical
└─ Vulnerability density: Findings per asset
Target: < 10 critical/high per internet-facing asset
└─ Recurring findings: Same vulnerability reappearing after "fix"
Target: < 5% recurrence rate (indicates process failure)
└─ Scanner health: % of scheduled scans that completed successfully
Target: > 98% scan completion rate
└─ False positive rate: % of findings marked as false positive
Target: < 10% (mature program), < 20% (developing program)
└─ Time to remediate: Mean time from finding to fix
Target: Critical < 7 days, High < 30 days, Medium < 90 days

Key Takeaways

  • Vulnerability scanning is the foundation of any vulnerability management program — without visibility into your vulnerabilities, you cannot prioritise or remediate
  • Authenticated scanning provides significantly better coverage than unauthenticated — internal view shows installed software, missing patches, and configuration issues that external scanning misses
  • CVSS scores provide a standardised severity rating but have limitations — they measure technical severity, not business risk or likelihood of exploitation
  • High-risk assets (internet-facing, PII) need weekly scanning at minimum — low-risk can be quarterly
  • False positives are inevitable but manageable — a mature program achieves < 10% FP rate through systematic triage and tuning
  • Container scanning must be integrated into the CI/CD pipeline — scanning running containers is too late; scan at build time, before deployment
  • CI/CD integration enables shift-left scanning: IaC scanning (commit) → container scanning (build) → DAST (deploy) → compliance scanning (continuous)
  • Compliance frameworks mandate scanning at specific frequencies (PCI DSS quarterly, HIPAA annual, ISO 27001 monthly) — scanning schedules should align with the strictest applicable framework
  • Track scan metrics (coverage, density, recurrence, scanner health, FP rate, time to remediate) to measure program effectiveness
  • Modern scanning tools provide APIs for automation — integrate scanner output with SIEM, ticketing (Jira, ServiceNow), and patch management tools
  • Compliance scanning (CIS benchmarks, OpenSCAP, InSpec) extends traditional vulnerability scanning into configuration auditing — ensuring systems are not just patched but also securely configured
  • The vulnerability scanning landscape is evolving: agent-based scanning, cloud-native scanning (AWS Inspector, Azure Defender), and container-native scanning (Trivy, Grype) complement traditional network-based scanners