With Deepfactor, you can:
- Scan your artifacts (container images / filesystem) to generate SBOMs and find SCA vulnerabilities
- Observe your running workloads (container instances / non-containerized applications) for runtime risks
- Correlate findings from artifact scans and running workloads to prioritize vulnerability remediation based on runtime reachability.
The support matrix for each of the previous cases is described below.
Support Matrix For Artifact Scanning #
Deepfactor’s artifact scanner detects both OS packages and language specific application dependencies during the scan. It then retrieves vulnerability information from multiple data sources listed in the following document:
Deepfactor Scanner data sources
Support matrix for container scans #
Deepfactor detects official OS packages installed using the package manager and does not detect self-compiled packages/binaries. The following table shows the list of supported container image types.
| OS | Supported Versions | Target Packages | Detection of fixed/unfixed vulnerabilities | Runtime reachability |
|---|---|---|---|---|
| Alpine Linux | 2.2 – 2.7, 3.0 – 3.19, edge | Installed by apk | Fixed only | Yes |
| Wolfi Linux | (n/a) | Installed by apk | Fixed only | Yes |
| Red Hat Universal Base Image | 7, 8, 9 | Installed by yum/rpm | Fixed and Unfixed | Yes |
| Red Hat Enterprise Linux | 6, 7, 8, 9 | Installed by yum/rpm | Fixed and Unfixed | Yes |
| CentOS | 6, 7, 8, 9 | Installed by yum/rpm | Fixed and Unfixed | Yes |
| AlmaLinux | 8, 9 | Installed by yum/rpm | Fixed only | Yes |
| Rocky Linux | 8, 9 | Installed by yum/rpm | Fixed only | Yes |
| Oracle Linux | 5, 6, 7, 8, 9 | Installed by yum/rpm | Fixed only | Yes |
| CBL-Mariner | 1.0, 2.0 | Installed by yum/rpm | Fixed and Unfixed | Yes |
| Amazon Linux | 1, 2, 2022, 2023 | Installed by yum/rpm | Fixed only | Yes |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | Fixed only | Yes |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | Fixed only | Yes |
| Photon OS | 1.0, 2.0, 3.0, 4.0 | Installed by tdnf/yum/rpm | Fixed only | Yes |
| Debian GNU/Linux | wheezy, jessie, stretch, buster, bullseye, bookworm (eg, version 7 or later) | Installed by apt/apt-get/dpkg | Fixed and Unfixed | Yes |
| Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | Fixed and Unfixed | Yes |
| Distroless | Any | Installed by apt/apt-get/dpkg | Fixed and Unfixed | No |
An artifact scan can be initiated from any supported operating system listed above in addition to Windows (Windows 10 or later) or macOS hosts (macOS 12 or later).
Support matrix for language specific dependencies detection #
Deepfactor can detect language specific application dependencies in your filesystem and container images. It scans the files present in your artifact and looks for language specific dependencies files (for example, package-lock.json, Gemfile.lock, and so forth) to gather the list of application dependencies. Deepfactor then tabulates the vulnerabilities associated with them using data from the vulnerability sources listed here:
Deepfactor Scanner data sources
The following table provides the support matrix for language specific dependencies that are detected by the Deepfactor scanner.
| Language | Manifest File | Image Scan Supported |
Filesystem Scan Supported |
Dev Dependencies | Runtime Reachability Supported |
|---|---|---|---|---|---|
| Ruby | Gemfile.lock | No | Yes | Yes | Yes |
| gemspec | Yes | No | Yes | Yes | |
| Python | Pipfile.lock | No | Yes | No | Yes |
| poetry.lock | No | Yes | No | Yes | |
| requirements.txt | No | Yes | Yes | Yes | |
| egg package (*.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO) |
Yes | No | No | Yes | |
| wheel package (.dist-info/META-DATA) |
Yes | No | No | Yes | |
| PHP | composer.lock | No | Yes | Yes | Yes |
| installed.json | Yes | No | No | Yes | |
| Node.js | package-lock.json | No | Yes | No | Yes |
| yarn.lock | No | Yes | Yes | Yes | |
| pnpm-lock.yaml | No | Yes | No | Yes | |
| package.json | Yes | No | Yes | Yes | |
| .NET Core (Linux) |
packages.lock.json | Yes | Yes | Yes | No |
| .NET (Windows) | packages.lock.json | No | Yes | Yes | No |
| packages.config | Yes | Yes | No | No | |
| .deps.json | Yes | Yes | No | No | |
| packages.props | Yes | Yes | No | No | |
| Java / Scala / Kotlin |
JAR/WAR/PAR/EAR (*.jar, *.war, *.par and *.ear) | Yes | No | Yes | Yes |
| pom.xml | No | Yes | No | Yes | |
| *gradle.lockfile | No | Yes | No | Yes | |
| Go | Binaries built by Go tools | Yes | No | No | Yes |
| go.mod (For go version 1.17 or older, go.sum is also required) | No | Yes | Yes | Yes | |
| Rust | Cargo.lock | Yes | Yes | Yes | No |
| Binaries built with cargo-auditable | Yes | No | No | No | |
| C/C++ | conan.lock | No | Yes | No | No |
| Elixir | mix.lock | No | Yes | No | No |
| Dart | pubspec.lock | No | Yes | Yes | No |
| Swift | Podfile.lock | No | Yes | Yes | No |
| Package.resolved | No | Yes | Yes | No |
OS Support Matrix For Runtime SCA & Runtime Security #
In addition to scanning artifacts, Deepfactor can also observe running workloads (whether running inside a container or not) to detect runtime security risks. While Deepfactor instrumentation technology is language agnostic and can observe applications written in any programming language, there are limitations on which OS distribution your application is running, as shown in the following table.
| Supported Operating System | Traditional/ Non-Container Deployments |
Kubernetes Deployments (works on any Node OS) |
Container Deployments Without Kubernetes (Only Docker Container runtime is supported) |
|
| Pod Image OS | Container Host OS | Container Base Image | ||
| Ubuntu 18.04 & above | Yes | Yes | Yes | Yes |
| CentOS 7 & above | Yes | Yes | Yes | Yes |
| RedHat 7 & above | Yes | Yes | Yes | Yes |
| Pop!_OS 18.04 & above | Yes | Yes | Yes | Yes |
| Alpine 3.9 & above | Yes | Yes | No | Yes |
| Debian 10 & above | Yes | Yes | Yes | Yes |
| Amazon Linux 1 and 2 | Yes | Yes | Yes | Yes |
| Oracle Linux 7.x & 8.x | Yes | Yes | Yes | Yes |
| Rocky Linux 8.x | Yes | Yes | Yes | Yes |
| Chainguard (Wolfi, Alpine, Melange) | No | Yes | Yes | Yes |
| SUSE SLES 12 SP5 & SUSE SLES 15 SP2 | Yes | Yes | Yes | Yes |
Distributions Not Listed Above
- Any Linux Distribution running glibc verison >= 2.17 (or musl >= 1.1.20-r5 for Alpine) is supported by Deepfactor, but telemetry data may be limited if the distribution doesn’t use rpm, dpkg or apk package management. (e.g. Arch Linux)
Kubernetes deployments
- For running kubernetes workloads with Deepfactor, we provide a mutating admission webhook. The minimum kubernetes version supported by Deepfactor’s mutating admission webhook is 1.23.
Which scenarios are not supported by Deepfactor for artifact scanning?
- Android and iOS applications/hosts
- Windows containers (eg, containers with Windows applications)
Which application types are not supported by Deepfactor for runtime SCA/runtime security?
- Android and iOS applications
- Windows applications
- macOS applications
- Statically linked applications (other than Go applications)
Serverless functions
Serverless functions can be scanned by the Deepfactor artifact scanner if any of the following scenarios apply:
- The function is deployed in a container using one of the supported language configurations listed above
- The function’s source code is available and uses one of the supported language configurations listed above
Network requirements
- In order to post artifact scan results and upload application telemetry, the product requires network connectivity to the Deepfactor SaaS management portal. Customers using airgapped environments may opt to install our self-managed on-premise version.
Other notes
- Deepfactor sets LD_PRELOAD to inject the Deepfactor runtime into your application. If you are using another tool that is setting LD_PRELOAD, Deepfactor will not be able to observe your running application