I was wondering when security scans are run? Is it when we visit the dashboard, or automatically when images change? If the latter, is there a notification that happens if a vulnerability is found?
Security Scans are run on-demand i.e. when you visit the Security Scans tab within an App in the dashboard or when you click the “Re-run report” button within the tab. As a result, we do not currently have a system in place to notify you if you deploy an image with vulnerabilities or if a new one arises nor do we store the historic results.
If you are interested in features like this, a tool like AWS ECR automatically scans all images and can be configured to send notifications. It’s a popular choice for storing Docker images deployed on Aptible.
The main benefit, and reason we offer Security Scans, is so users can run ad-hoc scans against Dockerfile deployed Apps since the image used by these Apps isn’t available anywhere except Aptible which means users are unable to access the image in order to perform scans themselves. If you are using Dockerfile deployment, you’ll have to switch to direct docker image deployment in order to properly scan the images you’re deploying.