Scanning software for vulnerabilities

Before you install instances of software from the IBM Cloud® catalog, you might want to complete a vulnerability assessment on the contents of the software and its associated images. By doing so, you can reduce the probability of security threats and unauthorized access of systems.

Before you begin

You need to install the IBM Cloud CLI. For more information, see Getting started with the IBM Cloud CLI.

Scanning software for vulnerabilities

To scan for software vulnerabilities, you need to use the IBM Cloud CLI after you select your software from the catalog.

From the IBM Cloud catalog, select the software.
Click View details on the software's product page.
Copy the Catalog source URL.
Run the ibmcloud login command to log in to the CLI:
```
ibmcloud login
```
If you're logging in with a federated ID, run the ibmcloud login --sso command. For more information, see Logging in with a federated ID.
Run the ibmcloud oath-tokens command to retrieve your access token. If you're working with OVA images, you can skip this step.
```
ibmcloud iam oauth-tokens
```
The following truncated example shows a retrieved token.
```
IAM token:  Bearer eyJraWQiOiIyM...
```
Copy the access token.
Run the curl command with the software's source URL and your access token to download the source package. The filename is what you want to name the file on your computer.
```
curl --location --request GET '<source URL>' --header 'Authorization: bearer <token>' -o <filename>
```
Use a vulnerability scanning tool of your choice to scan the downloaded contents of the software and associated images for any issues.

After you run the scan and address any reported issues, you can return to the console and install the software.