Purpose
LILT shall perform a static vulnerability analysis of all Docker images provided to Customer before delivery. The purpose is to keep known common vulnerabilities and exposures (CVEs) from deployment on secure systems.Analysis
LILT uses Grype, an open source project by Anchore, and a comprehensive vulnerability/misconfiguration scanner for containers and other artifacts.Vulnerability Levels
- LILT shall attempt to resolve all CRITICAL, HIGH, MEDIUM, and LOW CVEs with known fixes in advance of any deliverable.
- LILT will track any CRITICAL, HIGH, MEDIUM, and LOW that have no known fixes and resolve them in advance of the next deliverable after fixes are reported or other alternatives are found to mitigate the CVE issue while also keeping the LILT application operational.
- In instances where vulnerabilities cannot be resolved because they would impair functionality of the LILT system, such vulnerabilities shall be documented with an explanation.
- INFORMATIONAL/NEGLIGABLE CVEs shall not be regularly resolved.
- LILT resolves CRITICAL and HIGH CVEs within its images as part of continuous CVE evaluation and hardening. The LILT target for CVE remediation for this severity is 7 days but varies with development effort and available CVE resolutions.
- LILT evaluates MEDIUM and LOW CVEs for potential remediation in a future release if requested by a customer.
Regular Updates
For the duration of contractual obligations, LILT shall deliver Docker image updates to the Customer’s technical team every twelve weeks. The Customer shall be responsible for system upgrades using these assets.External Dependencies
External dependencies shall be used as-is, but shall also be scanned prior to delivery. LILT shall regularly review external dependencies to best mitigate CVEs.Development Process
In order to ensure release of the safest, highest-quality code, the LILT development follows the below process.Development
A developer from LILT’s technical team assesses the product requirements for a feature. Thereafter, the developer begins software development in a branch off of themain
coding branch of the relevant repository. LILT has multiple code repositories, one for each major section of the LILT architecture.
Code Review and Unit Testing
Before code is merged back into amain
branch, the author of the code opens a pull request on LILT’s Github instance.
Unit and integration tests are automatically performed on our CI/CD instance, Jenkins which runs on LILT servers. The results of the tests are then automatically displayed in the pull request with a green check mark indicating tests successfully passed.
When tests are passed, LILT’s configuration requires both AI and human review of the code, or an area expert is selected if the code is particularly sensitive. The code is not merged into the main
branch until peer reviewers manually approve the request.