Introducing Scanfrog: Dodge Container Vulnerabilities

Data¹ shows that the most important factor in improving an organization’s security posture is whether each dimension of security is measured in the form of a retro arcade game.

And that’s exactly what led to the creation of scanfrog: a Frogger-style terminal game that visualizes container vulnerabilities discovered by Grype, a free and open-source vulnerability scanner. Scanfrog takes vulnerability management to the next level by literally creating a new level (in the game), derived entirely from the results of vulnerability scanning a given container image.

You begin the game as a cute little frog at the bottom of your terminal, and your mission is to cross the road to reach the finish line — without killing the frog. Each vulnerability from the container image gets represented as an obstacle driving down one of the traffic lanes. The vulnerability’s severity determines which kind of obstacle it becomes. From slow-moving bicycles, to cars, all the way up to super-fast (blinking) t-rexes. If one of these obstacles hits you before you’ve reached the finish line, you die. Sorry! But at least you get to see what it was that killed you, with a clickable link to the vulnerability information.

How difficult is the game? Well, that’s up to you. If you’re looking for an easy victory, you can scan an image where most or all of the vulnerabilities have been eradicated by the time you scan it. In fact, so far I’ve found Chainguard Containers to be frustratingly boring. On the other hand, if you’re looking for a challenge, there are plenty of other container images out there that are a treasure trove of challenging, sometimes impossible Scanfrog levels, overrun with sometimes thousands of obstacles!

I originally created this game just to be silly. But the metaphor turned out to be better than I initially thought… Having more software vulnerabilities running in your production environment might be okay? If you can manage to dodge them all? But that’s a fairly large “if”. And the feat of avoiding exploitation becomes remarkably easier when you start out with orders of magnitude fewer vulnerabilities to contend with in the first place.

Anyway, this game is just the beginning. Building secure software is hard work that deserves a certain level of fun to complement it and help sustain us. I would be overjoyed to see more security-focused games pop up in the community.

In the meantime, the first release of Scanfrog is now available: v0.1.0. Please enjoy! Feedback and contributions are always welcome: https://github.com/luhring/scanfrog.

¹: No data found.