Security Stuff

A collection of security analysis tools for container images and vulnerability management.

Overview

This repository contains tools to analyze and compare security vulnerabilities in container images, helping you make informed decisions about image upgrades and security posture improvements.

Tools

security-diff.sh

A comprehensive script to compare CVE (Common Vulnerabilities and Exposures) between two tags of the same container image.

Features

• CVE Comparison: Analyze Critical and High severity vulnerabilities between image tags
• Security Metrics: Calculate percentage improvements/regressions in security posture
• Detailed Analysis: Shows which CVEs were addressed, newly added, or remain unaddressed
• Consolidated Reporting: Combines Critical and High severity data in easy-to-read tables

Usage

./security-diff.sh <image> <tag1> <tag2>

Example:

./security-diff.sh redis/redis-stack-server 7.0.6 7.2.3

Sample Output

CVE Overview: redis/redis-stack-server
==============================================
Severity             | 7.0.6      | 7.2.3      | Change %  
----------------------------------------------
Critical CVEs        | 2          | 0          | 100.0%    
High CVEs            | 4          | 2          | 50.0%     
----------------------------------------------
Total CVEs           | 6          | 2          | 66.7%     
==============================================

Security Improvement Analysis:
================================================
✅ Overall Security Improvement: 66.7% reduction in CVEs
🔥 Critical CVEs: 100.0% reduction
🟡 High CVEs: 50.0% reduction
================================================

Detailed CVE Analysis:
========================================
📈 CVEs Addressed in 7.2.3 (Total: 4)
----------------------------------------
Critical (2):
  - CVE-2022-48174
  - CVE-2023-22458

High (2):
  - CVE-2022-35977
  - CVE-2023-25155

⚠️  CVEs Not Addressed (Total: 2)
----------------------------------------
High (2):
  - CVE-2023-41056
  - CVE-2023-28425
========================================

Requirements

• grype: Container vulnerability scanner by Anchore
• jq: JSON processor for parsing vulnerability data
• bash: Script execution environment
• Optional: bc for high-precision calculations (falls back to awk)

Installation

1. Install grype:

   curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

2. Install jq:

   # Ubuntu/Debian
   sudo apt-get install jq
   
   # RHEL/CentOS
   sudo yum install jq
   
   # macOS
   brew install jq

3. Make the script executable:

   chmod +x security-diff.sh

Security Metrics Notes

The percentage reduction metric provides a quick overview but has limitations:

• Severity weighting: Doesn't account for CVSS scores or exploit availability
• Context missing: Doesn't consider CVE age or business impact
• Simple counting: Treats all CVEs within a severity level equally

For production security assessments, consider additional metrics like:

• CVSS-weighted risk scores
• Exploitability analysis (CISA KEV, EPSS scores)
• Temporal factors (CVE age, patch availability)
• Business impact assessment

Contributing

Feel free to submit issues, feature requests, or pull requests to improve these security tools.

Disclaimer

This tool was authored by Claude Sonnet 4, an AI assistant by Anthropic. While designed to provide useful security analysis, users should:

• Validate results against official security sources
• Use as one input in comprehensive security assessments
• Not rely solely on these metrics for critical security decisions
• Review and test the scripts in their specific environments

The authors and contributors are not responsible for any security decisions made based on this tool's output.

---

Generated with ❤️ by Claude Sonnet 4