Real-Time CVE Scanning of your macOS Build Systems

It’s common that an organization’s macOS build system will download thousands, sometimes tens of thousands of third-party dependencies every hour. When building and testing iOS applications, it typically downloads and installs third-party dependencies directly on the host machine used by your build system. These dependencies can be libraries, frameworks, or even entire applications. Along with these dependencies are potential security vulnerabilities. If these vulnerabilities are not patched, they can be exploited by attackers to gain access to the CI systems and even be included in the final build released to your users. This is why we’ve created a solution for real-time CVE scanning of your macOS build systems.

Traditional CVE scanning tools for macOS are typically avoided for scanning of CVEs during the build as they consume significant computing resources and impact the performance of the build and test jobs. This can lead to delays and failures which are painful to diagnose.

Veertu’s Mac Scan is built specifically to address this challenge. Veertu’s Mac Scan is a CVE scanning tool that is specifically designed to be used in iOS CI or macOS build and test environments. It runs in two modes: full scan and real-time scan.

The full scan mode scans the entire filesystem or a specific path for known CVEs. The real-time scan mode scans all filesystem change events (downloads, installs, etc) for known CVEs.

❯ mac-scan-cli full-scan

The real-time-scan mode is designed to be used in CI/CD pipelines or on developer machines, catching problems before they are published or available to end users. It’s designed to use minimal resources and has been proven to not impact build times.

❯ mac-scan-cli status
Service State: 		Active
Real-Time Scan State: 	Stopped

❯ mac-scan-cli real-time-scan start

❯ mac-scan-cli status
Service State: 		Active
Real-Time Scan State: 	Running

Once scanned, results are available through the CLI or even a REST API. They can be formatted as json, sorted, and even filtered.

Veertu’s Mac Scan guarantees that any accidental or untracked downloads will not result in the introduction of known CVE on the sensitive build and test CI systems. This is because the real-time scan mode scans all events on the filesystem, including downloads. Veertu’s Mac Scan works on bare metal mac hosts, AWS EC2 Macs, and also inside macOS VMs.

We recommend that build system engineers, especially iOS DevOps teams, install Veertu’s Mac Scan on their build systems and integrate the real-time scan in their CI/CD pipeline execution. This will help to ensure that their build and test systems are free of known CVEs.

Share this post

Unlocking Superior macOS VM Network Performance: Introducing Anka's new networking mode for Apple Silicon
Large and complex enterprises using Anka have many different demands, and we have worked to continue to develop innovative technology to meet these demands. Enterprise infrastructure hardware is often on the cutting edge, and they need advanced capabilities...
Read More
Anka Cloud Gitlab Executor
Veertu’s Anka and the new Anka Cloud Gitlab Executor Veertu’s Anka is a suite of software tools built on the macOS virtualization platform. It enables the execution of single or multi-use macOS virtual machines (VMs) in a manner similar to Docker....
Read More
The ONLY Fully Automated Apple Silicon macOS VM Creation Solution
Starting in Anka 3.1 we announced that Anka is now able to fully automate the macOS installation processes, disabling SIP, and enabling VNC — all previously manual steps users had to perform inside o the VM. At the time of writing this article,...
Read More
Scripting macOS UI User Actions With Anka Click
Starting in Anka 3.2, we’ve introduced a solution for scripting macOS UI user actions. You may ask, “Why would I want to do that?”. Well, often macOS configuration and applications do not have a CLI allowing you to perform certain actions...
Read More
Real-time, continuous scan of file downloads on macOS for security vulnerabilities
Today, we are announcing the Beta availability of the Mac Scan solution. Mac Scan software runs on macOS systems (bare metal, virtual, EC2 Mac) and scans downloads in real time for security vulnerabilities. There are multiple scenarios why you would...
Read More
Screen Shot 2022-10-17 at 10.13
Anka 3.1- Fully automated VM macOS installation & The Behavior-Driven macOS UI Automation Framework
We are very happy to announce the General Availability of Anka 3.1 for Apple Silicon / ARM macs. In this release, we are taking our approach to iOS CI automation one step further by introducing a Behavior-Driven macOS UI Automation Framework in Anka,...
Read More
Migrating from Anka on Intel to Anka on M1 Mac for iOS CI
In this blog, we will cover the key topics for migrating from Anka on Intel to Anka on M1/M2 Macs. Anka is an IaaC solution from Veertu to set up an agile Container like CI for iOS CI using macOS VMs. Anka for Intel uses Apple’s Hypervisor.Framework virtualization...
Read More
World's first Security Vulnerability scanner for EC2 Mac AMIs
We are excited to announce the General Availability of the world’s first security vulnerability scanner for EC2 Mac AMIs. EC2 Mac AMI Scan scans Intel and Apple Silicon macOS EC2 AMIs, detects security vulnerabilities in third-party packages, dependencies,...
Read More
It's time to migrate your iOS CI from ESXi Virtual Mac Infrastructure to native macOS Virtualization
When VMWare ESXi started officially supporting Apple macOS Virtualization on Mac hardware in late 2012, it opened the doors for the possibility of iOS development to move to a Linux-like, agile, scalable CI infrastructure. Soon enough, many iOS enterprise...
Read More
Security vulnerability scanning with Anka Scan
We are excited to announce the general availability (GA) of Anka Scan v1.0.0. As development teams increasingly adopt Infrastructure-as-code for development and production, the incident with Log4J in December 2021 highlighted the importance of security...
Read More