review comments

content/en/blog/posts/2024-07-15-vulnerability-scanning.md

@@ -1,39 +1,43 @@
 ---
 title: "Building Secure Container images with Shipwright"
-date: 2024-07-15T14:20:01-04:00
+date: 2024-07-15T00:00:00-00:00
 draft: false
 author: "Karan Kumar ([@karanibm6](https://github.com/karanibm6))"
 ---
 
 ## Introduction
 
 In the modern software development era, containers have become an essential tool for developers. They offer a consistent environment for applications to run, making it easier to develop, test, and deploy software across different platforms. However, like any other technology, containers are not immune to security vulnerabilities. This is where vulnerability scanning for container images becomes crucial.
-In this blog, we will discuss how to run vulnerability scanning on container images with [Shipwright](https://shipwright.io/) while building those images. Before jumping into this feature, let's explain what Shipwright is and why vulnerability scanning is important.
+In this blog, we will discuss how to run vulnerability scanning on container images with [Shipwright](https://shipwright.io/) while building those images.
+
+Before jumping into this feature, let's explain what Shipwright is and why vulnerability scanning is important.
 
 ## What is Shipwright
 
 [Shipwright](https://shipwright.io/) is an open-source framework designed to facilitate the building of container images directly within Kubernetes environments. It aims to streamline the development and deployment process by providing a native Kubernetes solution for creating container images from source code.
-Shipwright supports multiple build strategies and tools, such as Kaniko and Buildah, providing flexibility and extensibility to meet various application needs. This Kubernetes-native solution helps ensure that container images are built efficiently and securely, leveraging the strengths of the Kubernetes ecosystem
+Shipwright supports multiple build strategies and tools, such as Kaniko, Paketo Buildpacks, Ko, Buildkit and Buildah, providing flexibility and extensibility to meet various application needs. This Kubernetes-native solution helps ensure that container images are built efficiently and securely, leveraging the strengths of the Kubernetes ecosystem.
 
 Shipwright consists of four core components:
-1. BuildStrategy and ClusterBuildStrategy - defines how to build an application for an image building tool.
-2. Build - defines what to build, and where the application should be delivered.
-3. BuildRun - invokes the build, telling the Kubernetes cluster when to build your application.
+1. **Build** - defines **what** source code are you trying to build from, and **where** the resulting container image should be publish(the what and where?).
+2. **BuildRun** - defines the **when** to trigger the building mechanism, telling the Kubernetes cluster when to build your application(the when?).
+3. **BuildStrategy and ClusterBuildStrategy** - defines **how** your application is assembled and which build tool to use(how to build?).
 
 You can learn more by visiting this [link](https://shipwright.io/blog/2020/11/30/introducing-shipwright-part-2/#the-build-apis).
 
 ## Why is Vulnerability Scanning Important?
 
 Vulnerability scanning for container images involves examining the image for known security vulnerabilities. This is typically done using automated tools that compare the contents of the image against a database of known vulnerabilities. The key reasons for Vulnerability Scanning are:
-Security: Containers often include third-party libraries and dependencies, which might have known vulnerabilities. If these vulnerabilities are exploited, they can lead to data breaches, unauthorized access, and other security incidents.
-Compliance: Many industries have regulatory requirements that mandate regular security assessments, including vulnerability scanning. Ensuring your container images are free from known vulnerabilities helps in meeting these compliance standards.
-Stability: Vulnerabilities can also impact the stability and performance of your applications. By identifying and fixing these issues early, you can maintain the reliability of your software.
+- **Security**: Containers often include third-party libraries and dependencies, which might have known vulnerabilities. If these vulnerabilities are exploited, they can lead to data breaches, unauthorized access, and other security incidents.
+- **Compliance: Many industries have regulatory requirements that mandate regular security assessments, including vulnerability scanning. Ensuring your container images are free from known vulnerabilities helps in meeting these compliance standards.
+- **Stability**: Vulnerabilities can also impact the stability and performance of your applications. By identifying and fixing these issues early, you can maintain the reliability of your software.
+
+There are many popular tools available for vulnerability scanning of container images, such as Clair, Trivy, Aqua Security, and Snyk.
 
-There are many popular tools available for vulnerability scanning of container images, such as Clair, Trivy, Aqua Security, and Snyk. In Shipwright, we use Trivy under the covers for vulnerability scanning.
+In Shipwright, we use Trivy under the covers for vulnerability scanning, our rational for choosing this tool can be found in our [SHIP-0033](https://github.com/shipwright-io/community/blob/main/ships/0033-build-output-vulnerability-scanning.md).
 
 ## Vulnerability Scanning in Shipwright
 
-Before we dive in how it works, lets explore the options offered by shipwright for vulnerability scanning of container builds :
+Before we dive in how it works, lets explore the features offered by Shipwright for vulnerability scanning of container builds :
 
 ```yaml
 spec:
@@ -51,18 +55,18 @@ spec:
 **Configuration Options**
 
 - vulnerabilityScan.enabled - Specify whether to run vulnerability scan for image. The supported values are true and false.
-- vulnerabilityScan.failOnFinding - indicates whether to fail the build run if the vulnerability scan results in vulnerabilities. The supported values are true and false. This field is optional and false by default.
-- vulnerabilityScan.ignore.issues - references the security issues to be ignored in vulnerability scan
-- vulnerabilityScan.ignore.severity - denotes the severity levels of security issues to be ignored, valid values are :
+- `vulnerabilityScan.failOnFinding`:  Indicates whether to fail the build run if the vulnerability scan results in vulnerabilities. The supported values are true and false. This field is optional and false by default.
+- `vulnerabilityScan.ignore.issues`:  References the security issues to be ignored in vulnerability scan
+- `vulnerabilityScan.ignore.severity`:  Denotes the severity levels of security issues to be ignored, valid values are :
     - low : it will exclude low severity vulnerabilities, displaying only medium, high and critical vulnerabilities
     - medium : it will exclude low and medium severity vulnerabilities, displaying only high and critical vulnerabilities
     - high : it will exclude low, medium and high severity vulnerabilities, displaying only the critical vulnerabilities
-- vulnerabilityScan.ignore.unfixed - indicates to ignore vulnerabilities for which no fix exists. The supported types are true and false.
+- `vulnerabilityScan.ignore.unfixed`:  Indicates to ignore vulnerabilities for which no fix exists. The supported types are true and false.
 
 ## Lets dive right in
 
 Now, let's see vulnerability scanning for a container image with Shipwright in action.
-If you want to try out in kind cluster, follow the steps from [this](https://github.com/shipwright-io/build?tab=readme-ov-file#try-it) section till you create the push secret.
+If you want to try out in kind cluster, follow the steps from [this](https://github.com/shipwright-io/build?tab=readme-ov-file#try-it) section until you create the push secret.
 As a next step, create a build object with vulnerability scanning enabled, replacing <REGISTRY_ORG> with the registry username your push-secret have access to:
 
 ```yaml
@@ -127,7 +131,7 @@ buildah-golang-buildrun-s9gsh   False       VulnerabilitiesFound   2m54s       9
 
 Here, you can see that the buildrun failed with reason `VulnerabilitiesFound` and it will not push the image to the registry as the failOnFinding option is set to true.
 
-And one can find the list of vulnerabilities in the build run status.Output
+And one can find the list of vulnerabilities in the build run under the `.status.output` path:
 
 ```yaml
 apiVersion: shipwright.io/v1beta1
@@ -201,4 +205,4 @@ status:
 
 ## Conclusion
 
-Shipwright offers a robust and flexible solution for building container images within Kubernetes environments. By integrating vulnerability scanning directly into the build process, Shipwright ensures that container images are secure and compliant with industry standards.
+Shipwright offers a robust and flexible solution for building container images within Kubernetes environments. By integrating vulnerability scanning directly into the build process, Shipwright ensures that container images are secure and compliant with Industry Standards and gets closer to Supply Chain Security Best Practices.