I’m installing and testing Deepfence’s Threatmapper for the first time, an Open Source Cloud Native Application Protection Platform (CNAPP) - To test it against some use cases and understand it a bit better.
Modules tested
- Cloud Security Posture (CSPM) in AWS (CIS Benchmarks, NIST, etc. compliance scanning)
- I found this module not too worthy: It sets up an ECS task for reasons I don’t understand, which cost money (I let it run for 4 days and it cost me around $15 USD), and we can simply run Prowler for the same exact purpose.
- Linux Security Posture - Configuration assessment
- Internal Vulnerability scans on Linux Hosts
- Secret Scanning (Great feature, but I’ve had issues making it work) - Very interesting feature
- Malware Scanning (Same issue happening) - Very interesting feature
- Public container registry security scan (I’m having a hard time understanding how to specify Docker images and namespaces) - Very interesting feature
Architecture & Deployment
- Platform: Proxmox
- Amazon Web Services: ECS task (As per Deepfence’s documentation for AWS cloud scanners)
- Networking: Cloudflare Tunnels | Tried Tailscale overlay network but didn’t have success running it in the same AWS ECS task so I weren’t able to establish communication privately between AWS ECS cloud scanner ↔ Deepfence Web Console
- Linux Agent Scanner: Another Debian 12 VM
Terraform Issues
Had to modify the Terraform template with an updated AWS version provider. Everything went smoothly from here:
provider "aws" {
version = "~> 5.0"
# AWS region: Example: us-east-1
region = "us-east-1"
}ERRORS & ISSUES
Secret Scanner in Copilot host always with errors. Inspecting the logs:
