We are excited to announce the general availability (GA) of Anka Scan v1.0.0. As development teams increasingly adopt Infrastructure-as-code for development and production, the incident with Log4J in December 2021 highlighted the importance of security vulnerability scanning in development and production.
Developers will not stop using existing libraries and frameworks; however, organizations will need to adapt processes to look for bugs and vulnerabilities in all third-party code early in the development cycles.
Anka Scan enables iOS development teams to scan all installed third-party libraries and packages in their build and test Anka Build VM macOS images for security vulnerabilities.
Anka Scan works alongside Anka Build to incorporate DevSecOps in iOS CI setups. Anka Build transforms the iOS CI into a more agile infrastructure-as-code that provides at least 50% faster pipeline execution. Anka Scan proactively monitors third-party packages in iOS build and test environments for security vulnerabilities.
Why do you need Anka Scan?
Anka Scan security vulnerability scanning is a new concept for iOS CI workflow. Development teams are running tools like Snyk and others during code commits to flag vulnerabilities in third-party libraries. Some go a step further and don’t allow the download and inclusion of third-party libraries in the code from untrusted sources, only allowing it from internal repositories. When the iOS application code moves forward in the development cycle to the build and test stages, there is no monitoring of security flaws in third-party libraries. Malicious actors can tactfully introduce vulnerability and other security flaws in the third-party package used during the build and test of iOS applications, thus ensuring that those flaws get into the production application package.
It’s imperative to continuously scan for security vulnerabilities in all third-party packages during the build and test of iOS applications.
How does Anka Scan work?
Anka Scan vulnerability scanning will discover all third-party packages and libraries inside Anka macOS VMs that you use for building and testing your iOS apps.
Scanning for vulnerabilities happens primarily against VM stored in the Anka Build Cloud Registry, without the need to run the macOS VMs.
Anka Scan can also perform scanning against the entire Registry storage volume or against selected VMs on the local machine. Anka Scan is a command-line tool that easily integrates into your existing iOS CI/CD process and infrastructure-as-code-based workflow.
Vulnerability scan reports can be output in multiple formats to be ingested by other SOC consoles/systems.
We are looking forward to feedback from our users, and there are more exciting iOS DevSecOps focused tools development underway.