Skip to content

How to Choose a Scan Method#

This document explains the criteria for selecting the appropriate scan method for each managed target when using FutureVuls. Refer to the following links depending on what you want to scan.

Definition of Terms

The following terms are used to describe the scanning patterns using the FutureVuls scanner.

  • Scanner server: The server where the scanner is installed.
  • Target server: The server whose configuration the scanner collects.

Note that in a local scan, the "scanner server = target server," but in configurations such as remote scans using a relay server, the "scanner server ≠ target server."

Software Type and Scan Method Compatibility Table#

The flowcharts that follow explain how to narrow down a scan method based on the environmental conditions of your managed targets (such as whether they have internet access or whether a scanner can be installed). This section provides a reverse-lookup table for finding a scan method starting from "the type of software you want to monitor."

How to use this table

Find the type of software you want to manage and monitor in the left column, and check whether each scan method can detect it. ○ indicates supported and — indicates not supported. The text in parentheses describes usage conditions or supplementary notes.

Software Type
Description / Examples
Local
Scan
Remote
Scan
Paste
Scan
Docker
Scan (Trivy)
Docker
Scan (ECR/GAR)
CPE
Scan
Inspector
Integration
SBOM
Scan
WordPress
Scan
GitHub
Integration
Linux OS packages Packages managed by package managers such as rpm, deb, and apk
(inside container)

(EC2)
Windows KB (update programs) Update programs delivered via Windows Update in the KB~ format
(EC2)
Software not managed by Windows KB
(third-party products, etc.)
Software not covered by KB management. Examples: Chrome, Adobe Reader, Java Runtime, etc.
(CPE assignment*1)

(CPE assignment*1)

(CPE assignment*1)

*2

(CPE assignment*1)
Application dependency libraries Language libraries managed by a Lockfile. Examples: npm, pip, gem, Go, Rust, PHP, etc.
(specify Lockfile
in config.toml)

(specify Lockfile
in config.toml)

(paste Lockfile)

(extended scan)

(EC2/Lambda)
Network device firmware Network devices such as Cisco, Fortinet, and Palo Alto
(CPE assignment*1)
Commercial middleware Commercial products such as Oracle DB and JP1
Manually installed / compiled software Apache built from source, Tomcat downloaded and set up, etc.
OS packages and libraries inside container images Packages and dependency libraries included in a Docker image
WordPress core, plugins, and themes WordPress core, and enabled/disabled plugins and themes

*1 Only configuration information is collected. CPE assignment is required for vulnerability detection.

*2 Depends on the internal implementation of AWS Inspector.

Scanning Linux OS#

Selecting a Scan Method for Linux OS#

Use the following flowchart to select a scan method.

%%{
    init:{
        "flowchart":{
            "htmlLabels": true,
            "curve": "linear"
        }
    }
}%%

flowchart LR
  %% Style Definitions
  classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
  classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
  classDef cloudStyle fill:#ff6b3588,stroke:#ff6b35,stroke-width:2px
  classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
  classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px

  A{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
  B{"Scanner can be installed<br>on a relay server<br>with SSH access"}:::decisionStyle
  C{"Amazon Inspector<br>enabled for EC2"}:::decisionStyle
  D{"Server SBOM<br>available"}:::decisionStyle

  Local["Local Scan"]:::scanStyle
  Remote["Remote Scan"]:::scanStyle
  Inspector["AWS Inspector Integration"]:::cloudStyle
  Paste["Paste Scan"]:::scanStyle
  SBOM["Register Server SBOM"]:::scanStyle

  A -- Yes -----> Local
  A -- No --> B
  B -- Yes ----> Remote
  B -- No --> C
  C -- Yes ---> Inspector
  C -- No --> D
  D -- Yes --> SBOM
  D -- No --> Paste

subgraph Auto[Configuration is updated automatically]
    Local
    Remote
    Inspector
end

subgraph Manual[Configuration must be updated manually]
    SBOM
    Paste
end

class Auto autoStyle
class Manual manualStyle

Comparison of Scan Methods for Targets Connected to the Internet#

If the JSON scan results can be uploaded to FutureVuls from the target server, the Local Scan method is recommended because it is easy to set up and only requires a one-time configuration. Even when OS packages are updated, the latest configuration is automatically synchronized with FutureVuls.

Scan Method Description Pros Points to Consider
Local Scan Install the scanner on each target server to perform scans. ・Easy installation (completed with a single command)
・Can acquire information about relevant processes
・Automatically reflects configuration changes (e.g., updates) on the screen
・Scanner program is auto-updated
Requires the scanner program to be placed on the server.
Remote Scan Install a scanner within the target network and scan target servers via SSH from the scanner. ・Can acquire information about relevant processes
・Automatically reflects configuration changes (e.g., updates) on the screen
・Can be used even if the scanner program cannot be placed on the server
・Any server reachable via SSH from the scanner can be scanned using SSH tunnels, etc.
・Can scan all servers in a network at once by specifying a CIDR range
More complex to set up than a local scan (requires definition in a separate configuration file)
Amazon EC2 Inspector Integration Import information of EC2 instances detected by Amazon Inspector into FutureVuls. Easy integration ・No need to install a scanner on the server (instance)
・Requires Amazon Inspector to be enabled
Server SBOM Import Register configuration by pasting an SBOM on the FutureVuls screen. Can detect vulnerabilities on servers in closed (air-gapped) networks. ・If configuration changes due to an update, the SBOM must be re-uploaded to update the configuration (see Updating SBOM Files. Task statuses can be synchronized between old and new using Task Copy)
・Less information is acquired compared to the scanner (e.g., process information like port listening is not available)
Paste Scan Register a list of packages by copy-pasting on the FutureVuls screen to detect CVEs. No impact on the managed server since no scanner is installed. ・The list of packages must be updated from the screen when the configuration changes due to an update
・Less information is acquired compared to the scanner (e.g., process information like port listening is not available)

Comparison of Scan Methods for Targets in a Closed Network#

Scan Method Description Pros Points to Consider
Paste Scan Register a list of packages by copy-pasting on the FutureVuls screen to detect CVEs. ・Can detect vulnerabilities on servers in closed (air-gapped) networks
・No scanner program required on the managed server
・The list of packages must be updated from the screen when the configuration changes due to an update
・Less information is acquired compared to the scanner (e.g., process information like port listening is not available)
Server SBOM Import Register configuration by pasting an SBOM on the FutureVuls screen. Can detect vulnerabilities on servers in closed (air-gapped) networks. ・If configuration changes due to an update, the SBOM must be re-uploaded to update the configuration (see Updating SBOM Files. Task statuses can be synchronized between old and new using Task Copy)
・Less information is acquired compared to the scanner (e.g., process information like port listening is not available)
Method to aggregate JSON scan results on one machine via NFS, etc., and upload to FutureVuls on its behalf 【FutureVuls Advanced】Remote Scanning Using NFS ・Can manage a group of servers in a closed (air-gapped) network as long as one machine can upload to FutureVuls
・The scanner program automatically synchronizes configuration, so there is no need to re-paste when the configuration changes, unlike the paste scan
・Requires setup of a server for aggregation, such as NFS

Scanning Windows OS#

Selecting a Scan Method for Windows OS#

Use the following flowchart to select a scan method.

%%{
    init:{
        "flowchart":{
            "htmlLabels": true,
            "curve": "linear"
        }
    }
}%%

flowchart LR
  %% Style Definitions
  classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
  classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
  classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
  classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px

  A{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
  B{"Windows Update<br>Connection Method"}:::decisionStyle
  C{"Scanner can be installed<br>on a relay server<br>with SSH access"}:::decisionStyle
  D{"Windows Update<br>Connection Method"}:::decisionStyle

  Local["Local Scan"]:::scanStyle
  LocalWSUS["Local Scan<br>(WSUS)"]:::scanStyle
  Remote["Remote Scan"]:::scanStyle
  RemoteCab["Remote Scan<br>(Cab file)"]:::scanStyle
  Paste["Paste Scan"]:::scanStyle

  A -- Yes ----> B
    B -- No restrictions ---> Local
    B -- Managed by WSUS ---> LocalWSUS
  A -- No ----> C
  C -- Yes --> D
    D -- No restrictions --> Remote
    D -- Cab file --> RemoteCab
  C -- No ---> Paste

subgraph Auto[Configuration is updated automatically]
    Local
    LocalWSUS
    Remote
    RemoteCab
end

subgraph Manual[Configuration must be updated manually]
    Paste
end

class Auto autoStyle
class Manual manualStyle

Comparison of Scan Methods for Windows KBs#

Scan Method Windows Update Connection Method Pros Points to Consider Reference Links
Local Scan ・Internet
・WSUS
・Easy scanner installation and configuration
・Automatically synchronizes configuration
Scanner program needs to be placed on the target Windows machine.
Remote Scan ・Internet
・Cab file
・No need to place the scanner program on the target Windows machine
・Automatically synchronizes configuration
SSH must be configured on each target Windows machine. SSH connection information for the target needs to be defined in the configuration file. Remote Scanning for Windows
Connecting to Windows Server on EC2 via ssh
Paste Scan No connection ・Detect CVEs by copy-pasting a list of KBs on the FutureVuls screen
・Can manage Windows in closed (air-gapped, offline) environments
・No scanner program required on the managed server
If configuration changes due to a Windows update, the KB list must be manually updated from the screen.

How to Detect Vulnerabilities in Applications Installed on Windows#

FutureVuls provides configuration and vulnerability management for third-party software other than products managed as KBs. For applications installed on Windows, you can easily assign a CPE and start vulnerability management using the CPE auto-assignment feature or the CPE manual assignment (recommendation feature).

For details, see "CPE/PURL Assignment".

Scanning Containers#

Selecting a Container Scan Method#

Use the following flowchart to select a scan method.

%%{
    init:{
        "flowchart":{
            "htmlLabels": true,
            "curve": "linear"
        }
    }
}%%

flowchart LR
  %% Style Definitions
  classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
  classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
  classDef cloudStyle fill:#ff6b3588,stroke:#ff6b35,stroke-width:2px
  classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
  classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px

  A{"CI/CD tool<br>is available"}:::decisionStyle
  B{"Container on AWS or GCP"}:::decisionStyle
  C{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
  D{"Container SBOM<br>available"}:::decisionStyle

  CICD["Trivy CI/CD Integration<br>(Container Image)"]:::scanStyle
  ECR["ECR Integration"]:::cloudStyle
  GAR["GAR Integration"]:::cloudStyle
  LocalTrivy["Trivy Local Scan<br>(Container Image)"]:::scanStyle
  SBOM["SBOM Import"]:::scanStyle

  A -- Yes -----> CICD
  A -- No --> B
  B -- Yes/AWS ----> ECR
  B -- Yes/GCP ----> GAR
  B -- No --> C
  C -- Yes ---> LocalTrivy
  C -- No --> D
  D -- Yes --> SBOM

subgraph Auto[Configuration is updated automatically]
    CICD
    ECR
    GAR
    LocalTrivy
end

subgraph Manual[Configuration must be updated manually]
    SBOM
end

class Auto autoStyle
class Manual manualStyle

Comparison of Container Scan Methods#

Scan Method Pros Points to Consider Reference Links
Trivy Integration
(CI/CD, Local)
・Can be integrated into CI/CD
・Supports environments other than AWS
A Trivy scan environment must be prepared and configured. Integrating Vulnerability Detection into AWS CodePipeline CI/CD with FutureVuls and Trivy
Amazon ECR /
GCP GAR External Integration
Setup only requires configuring the integration with AWS ECR or GCP GAR. ・OS packages and application dependency libraries without vulnerabilities are not imported into FutureVuls.
・For Amazon ECR external integration, basic scanning does not detect application library vulnerabilities, so using enhanced scanning is recommended.
SBOM Import Can be imported if an SBOM file is available, even without the image. ・Requires a dedicated tool for generating and managing SBOMs.
・SBOMs must be re-imported upon updates.

Scanning Application Dependency Libraries#

Selecting a Scan Method for Application Dependency Libraries#

When scanning dependency libraries on a host OS#

%%{
    init:{
        "flowchart":{
            "htmlLabels": true,
            "curve": "linear"
        }
    }
}%%

flowchart LR
    %% Style Definitions
    classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
    classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
    classDef pseudoStyle fill:#ffa72688,stroke:#ffa726,stroke-width:2px

    A{"CI/CD tool is available"}:::decisionStyle
    B{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
    C{"Application's<br>LOCK file is available"}:::decisionStyle
    D{"Application's<br>SBOM is available"}:::decisionStyle

    CICD["Trivy CI/CD Integration<br>(Dependency Library)"]:::scanStyle
    Local["Trivy Local Scan<br>(Dependency Library)<br>or<br>Scan with Vuls scanner<br>specifying a Lockfile"]:::scanStyle
    Lockfile["Pseudo-server<br>+<br>Register LOCK file"]:::pseudoStyle
    SBOM["Pseudo-server<br>+<br>Register SBOM"]:::pseudoStyle

    A -- Yes -----> CICD
    A -- No --> B
    B -- Yes ----> Local
    B -- No --> C
    C -- Yes ---> Lockfile
    C -- No --> D
    D -- Yes --> SBOM

When you want to scan Lockfiles or libraries on GitHub#

  • If you also want to scan Go binaries or Java jars, and manage libraries where no vulnerabilities have been detected
    • → Scan the Git repository with Trivy
  • Otherwise
    • GitHub Security Alerts integration

Others#

  • When you want to scan dependency libraries in an AWS environment
    • Import Amazon Inspector scan results
  • When you want to scan libraries in a container image
    • Dependency library scan within the container image by Trivy

Comparison of Scan Methods for Application Dependency Libraries#

Scan Method Scan Purpose Pros Points to Consider Reference Links
Scan libraries with Trivy Dependency libraries in a container image
Dependency libraries on a local file system
Remote Git repository
Can be integrated into CI/CD. Supports non-AWS environments. Also scans Go binaries and Java jar files. A Trivy scan environment must be prepared. How to Integrate into a CI/CD Pipeline
Scan dependency libraries in AWS environment with Amazon Inspector Amazon ECR
AWS Lambda
Dependency libraries on Amazon EC2
Easy setup in an AWS environment. No need for agents like SSM, Vuls, Trivy, etc. Libraries without vulnerabilities are not imported into FutureVuls.
Detection targets are limited. Check the supported programming languages for ECR, Lambda, and EC2. More information is available here.
Scanning Amazon EC2 Libraries with FutureVuls
Scan specifying a Lockfile with Vuls Scanner Scan Lockfiles on the host OS In environments where Vuls scanner is already set up, you only need to modify config.toml. The target Lockfiles and directories must be listed in config.toml.
Paste Scan When Lockfiles are in a closed network Lockfiles can be registered by copy-pasting on the screen. If a Lockfile is changed by an update, it must be updated by pasting it on the screen or via the REST API. Java is not supported.
GitHub Security Alerts Integration Scan Lockfiles and libraries in a Git repository Easy setup if you are using GitHub.
Application SBOM Import When Lockfiles are in a closed network SBOM can be registered by copy-pasting on the screen. Supports Java. If the SBOM is changed by an update, it must be re-registered or updated via the REST API. SBOM Import Specifications

Scanning Network Devices, Commercial Middleware, or Self-Compiled Software#

The CPE Scan feature allows you to scan for vulnerabilities in software other than OS or programming language-dependent libraries. Specific examples of scan targets include:

Scanning WordPress Plugins and Themes#

See WordPress Scan.