It’s common that an organization’s macOS build system will download thousands, sometimes tens of thousands of third-party dependencies every hour. When building and testing iOS applications, it typically downloads and installs third-party dependencies directly on the host machine used by your build system. These dependencies can be libraries, frameworks, or even entire applications. Along with these dependencies are potential security vulnerabilities. If these vulnerabilities are not patched, they can be exploited by attackers to gain access to the CI systems and even be included in the final build released to your users. This is why we’ve created a solution for real-time CVE scanning of your macOS build systems.
Traditional CVE scanning tools for macOS are typically avoided for scanning of CVEs during the build as they consume significant computing resources and impact the performance of the build and test jobs. This can lead to delays and failures which are painful to diagnose.
Veertu’s Mac Scan is built specifically to address this challenge. Veertu’s Mac Scan is a CVE scanning tool that is specifically designed to be used in iOS CI or macOS build and test environments. It runs in two modes: full scan and real-time scan.
The full scan mode scans the entire filesystem or a specific path for known CVEs. The real-time scan mode scans all filesystem change events (downloads, installs, etc) for known CVEs.
❯ mac-scan-cli full-scan
The real-time-scan mode is designed to be used in CI/CD pipelines or on developer machines, catching problems before they are published or available to end users. It’s designed to use minimal resources and has been proven to not impact build times.
❯ mac-scan-cli status Service State: Active Real-Time Scan State: Stopped ❯ mac-scan-cli real-time-scan start ❯ mac-scan-cli status Service State: Active Real-Time Scan State: Running
Once scanned, results are available through the CLI or even a REST API. They can be formatted as json, sorted, and even filtered.
Veertu’s Mac Scan guarantees that any accidental or untracked downloads will not result in the introduction of known CVE on the sensitive build and test CI systems. This is because the real-time scan mode scans all events on the filesystem, including downloads. Veertu’s Mac Scan works on bare metal mac hosts, AWS EC2 Macs, and also inside macOS VMs.
We recommend that build system engineers, especially iOS DevOps teams, install Veertu’s Mac Scan on their build systems and integrate the real-time scan in their CI/CD pipeline execution. This will help to ensure that their build and test systems are free of known CVEs.