Skip to main content
Post a question

Notifications

Announcements

No record found.

Community site session details

Community site session details

Session Id : F0GhifN/O7k+h/JDIdkvPh
Finance | Project Operations, Human Resources, ...
Unanswered

Vulnerability scanning of AOT packages for FinOps

Like (0) ShareShare
ReportReport
Posted on 25 Jan 2023 23:35:31 by 5

Hi,

     I'm looking for some guidance please on vulnerability scanning of AOT packages for our new Finance & Operations (SaaS) implementation (NB: I'm relatively new to F&O build processes).

As part of our project, we will be developing customisation code that will be built on a Tier 1 environment and then deployed to other environments using LCS. 

My understanding is that the build agent will be creating an AOT package (zip file containing a variety of scripts & binaries). Our organisation has a requirement that all build artifacts are scanned for vulnerabilities before they are deployed. 

So my question is: Are there any scanning tools (X-Ray, CheckMark etc) that are able to scan these packages? 

NB: We will be using the best-practices code checker prior to build, but I don't know whether that will be sufficient for our cyber team. 

Thanks!

Tim

  • AndrĂ© Arnaud de Calavon Profile Picture
    292,884 Super User 2025 Season 1 on 19 Feb 2023 at 23:24:14
    RE: Vulnerability scanning of AOT packages for FinOps

    Hi Tim,

    I'm not aware of the tools you mentioned. Maybe you can test it and I would be more than happy to learn about the results.

  • tim_aemo Profile Picture
    5 on 16 Feb 2023 at 23:03:04
    RE: Vulnerability scanning of AOT packages for FinOps

    Apologies for the late reply.... We have a policy that all code is vulnerability scanned to make sure no security issues are exposed by custom code.

    We use CheckMarx and X-Ray to scan other binaries that are built by our CI/CD pipelines.

  • Sukrut Parab Profile Picture
    71,682 Moderator on 26 Jan 2023 at 23:47:05
    RE: Vulnerability scanning of AOT packages for FinOps

    Agree with Andre, never heard of the scanning for vulnerabilities in packages. What's the objective and what's the expected outcome after checking those?

  • AndrĂ© Arnaud de Calavon Profile Picture
    292,884 Super User 2025 Season 1 on 26 Jan 2023 at 22:56:02
    RE: Vulnerability scanning of AOT packages for FinOps

    Hi Tim,

    I can understand the concerns. I haven't heard of a vulnerability process before. There are some topics to be aware of.

    1) If you have a build pipeline, you can directly add the package to LCS, without user interaction.

    2) A deployable package deployment will follow a runbook process which only takes the files part of a F&O build. If the deployable package (zip file) is not according to the expectations, it will not be accepted to be installed.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Daivat Vartak – Community Spotlight

We are honored to recognize Daivat Vartak as our March 2025 Community…

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Kudos to the February Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 292,884 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 231,760 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156 Moderator

Leaderboard

Product updates

Dynamics 365 release plans
Loading complete