Amazon Inspector supports scanning of AWS Lambda functions and Lambda layers with Java, NodeJS and Python runtimes.
Need for vulnerability checks
Often times, we have code which depends on many packages from installed via different package managers which are prone to security leaks. Although, updating to new version could resolve it, you might have dependencies which are still prone to vulnerabilities. The best way to address is a regular scanning of your codebase to ensure there aren't serious issues.
Serverless specific, until now we had to depend on a third party tool to scan but now it's possible with Amazon Inspector
First off, you would have to enable Inspector for your AWS Account.
Your first scan
Once enabled, you will need a few minutes for Amazon Inspector to scan across your resources across Amazon EC2 instances, Amazon ECR images and now AWS Lambda functions and Lambda layers.
After Amazon Inspector has scanned you can view the report on Inspector dashboard.
[Fun Fact] As you can see, I don't have a single EC2 instance running on this AWS Account.
Inspector found that 9 of my Lambda functions had a vulnerabilities with critical, high and medium levels.
If you click on one of the functions, you can find the summary for vulnerabilities in that specific AWS Lambda function or the vulnerability because of using an AWS Lambda layer.
Let's dive into the finding
One of the vulnerability is with Axios NPM package.
This also gives details about axios package and the affected with fixed version.
Inspector provides you the complete details of the vulnerability along with the link to National Vulnerability Database (NVD) report.
Along the details, you can also find how to fix it with the available remedy.
In this case, it's updating axios version.
Another way to understand the severity of the vulnerability, the score from National Vulnerability Database (NVD) and Inspector is available.
Amazon Inspector is available as part of free trial for 15 days. For Lambda scans alone, there is monthly based on average number of Lambda functions scanned per month and price is prorated based on total Inspector coverage hours for the month.
More details on Amazon Inspector Pricing.
Now it's time to scan your Lambda functions and layers with Amazon Inspector.