Finance | Project Operations, Human Resources, ...

Vulnerability scanning of AOT packages for FinOps

(3) Share

Report

Posted on by tim_aemo

Hi,

I'm looking for some guidance please on vulnerability scanning of AOT packages for our new Finance & Operations (SaaS) implementation (NB: I'm relatively new to F&O build processes).

As part of our project, we will be developing customisation code that will be built on a Tier 1 environment and then deployed to other environments using LCS.

My understanding is that the build agent will be creating an AOT package (zip file containing a variety of scripts & binaries). Our organisation has a requirement that all build artifacts are scanned for vulnerabilities before they are deployed.

So my question is: Are there any scanning tools (X-Ray, CheckMark etc) that are able to scan these packages?

NB: We will be using the best-practices code checker prior to build, but I don't know whether that will be sufficient for our cyber team.

Thanks!

Tim

I have the same question (0)

All responses (5)

Answers (0)

André Arnaud de Cal... 300,721 Super User 2025 Season 2 on at

Like (0)

Report

RE: Vulnerability scanning of AOT packages for FinOps

Hi Tim,

I can understand the concerns. I haven't heard of a vulnerability process before. There are some topics to be aware of.

1) If you have a build pipeline, you can directly add the package to LCS, without user interaction.

2) A deployable package deployment will follow a runbook process which only takes the files part of a F&O build. If the deployable package (zip file) is not according to the expectations, it will not be accepted to be installed.

Was this reply helpful? Yes No
Sukrut Parab 71,710 Moderator on at

Like (0)

Report

RE: Vulnerability scanning of AOT packages for FinOps

Agree with Andre, never heard of the scanning for vulnerabilities in packages. What's the objective and what's the expected outcome after checking those?

Was this reply helpful? Yes No
tim_aemo 13 on at

Like (1)

Report

RE: Vulnerability scanning of AOT packages for FinOps

Apologies for the late reply.... We have a policy that all code is vulnerability scanned to make sure no security issues are exposed by custom code.

We use CheckMarx and X-Ray to scan other binaries that are built by our CI/CD pipelines.

Was this reply helpful? Yes No
André Arnaud de Cal... 300,721 Super User 2025 Season 2 on at

Like (0)

Report

RE: Vulnerability scanning of AOT packages for FinOps

Hi Tim,

I'm not aware of the tools you mentioned. Maybe you can test it and I would be more than happy to learn about the results.

Was this reply helpful? Yes No
Suggested answer

AD-12051649-0 4 on at

Like (1)

Report

Vulnerability scanning of AOT packages for FinOps

Hi,

Although long time ago, I guess what you refer to here is a SAST tool for scanning the deployable packages on Azure DevOps pipelines. Maybe it's still useful for other people with similiar situation. One tool that can do is Microsoft Security DevOps.
You only need to bring it to your pipeline in a separate job (Job1=Scan, Job2=Build which should be dependant on Job-1).

Was this reply helpful? Yes No