Introducing Scanfrog: Dodge Container Vulnerabilities
Data1 shows that the most important factor in improving an organization’s security posture is whether each dimension of security is measured in the form of a retro arcade game.
And that’s exactly what led to the creation of scanfrog: a Frogger-style terminal game that visualizes container vulnerabilities discovered by Grype, a free and open-source vulnerability scanner. Scanfrog takes vulnerability management to the next level by literally creating a new level (in the game), derived entirely from the results of vulnerability scanning a given container image.
You begin the game as a cute little frog at the bottom of your terminal, and your mission is to cross the road to reach the finish line — without killing the frog. Each vulnerability from the container image gets represented as an obstacle driving down one of the traffic lanes. The vulnerability’s severity determines which kind of obstacle it becomes. From slow-moving bicycles, to cars, all the way up to super-fast (blinking) t-rexes. If one of these obstacles hits you before you’ve reached the finish line, you die. Sorry! But at least you get to see what it was that killed you, with a clickable link to the vulnerability information.
How difficult is the game? Well, that’s up to you. If you’re looking for an easy victory, you can scan an image where most or all of the vulnerabilities have been eradicated by the time you scan it. In fact, so far I’ve found Chainguard Containers to be frustratingly boring. On the other hand, if you’re looking for a challenge, there are plenty of other container images out there that are a treasure trove of challenging, sometimes impossible Scanfrog levels, overrun with sometimes thousands of obstacles!
I originally created this game just to be silly. But the metaphor turned out to be better than I initially thought… Having more software vulnerabilities running in your production environment might be okay? If you can manage to dodge them all? But that’s a fairly large “if”. And the feat of avoiding exploitation becomes remarkably easier when you start out with orders of magnitude fewer vulnerabilities to contend with in the first place.
Anyway, this game is just the beginning. Building secure software is hard work that deserves a certain level of fun to complement it and help sustain us. I would be overjoyed to see more security-focused games pop up in the community.
In the meantime, the first release of Scanfrog is now available: v0.1.0. Please enjoy! Feedback and contributions are always welcome: https://github.com/luhring/scanfrog.
1: No data found.
Share this article
Related articles
- engineering
How I learned to stop worrying and love the latest tag
Adrian Mouat, Staff Developer Relations Engineer
- engineering
The tech leader’s mandate: Use engineering to accelerate sales velocity
Sam Katzen, Staff Product Marketing Manager
- engineering
DriftlessAF: Introducing Chainguard Factory 2.0
Matt Moore, Co-founder and CTO, Manfred Moser, Senior Principal Developer Relations Engineer, and Maxime Greau, Principal Software Engineer
- engineering
The maturity gap in ML pipeline infrastructure
Patrick Smyth, Principal Developer Relations Engineer
- engineering
This Shit is Hard: Building hardened PyTorch wheels with upstream parity
Dann Frazier, Principal Software Engineer
- engineering
Gastown, and where software is going
Dan Lorenc, Assistant Mayor of Gastown