Vulnerability Management
Secure your Cloud Development Environment with comprehensive vulnerability scanning, patch management, and security hardening strategies.
CDE Security Landscape
Cloud Development Environments introduce unique security considerations - from shared infrastructure to ephemeral workspaces.
Container Images
Base images, dependencies, and build layers require continuous scanning
Network Exposure
Remote access, port forwarding, and ingress controls create attack surfaces
Multi-Tenant Risks
Shared infrastructure requires isolation and resource boundary enforcement
Ephemeral State
Short-lived workspaces need security checks at creation time
Vulnerability Scanning Strategy
Multi-layered scanning approach to catch vulnerabilities at every stage of the CDE lifecycle.
Scanning Pipeline Integration
Template Scan
Scan Terraform templates and base images before publishing
Build-Time Scan
CI/CD integration catches issues during workspace image builds
Runtime Scan
Continuous scanning of running workspaces for new CVEs
Dependency Scan
SCA scans of project dependencies in source code
Vulnerability Scanning Tools
| Tool | Type | Best For | CDE Integration |
|---|---|---|---|
| Trivy | Container/IaC Scanner | Comprehensive, fast, open-source | Native |
| Snyk | SCA/Container/IaC | Developer-friendly, fix suggestions | Plugin |
| Grype | Container Scanner | Fast CLI scanning, SBOM integration | Native |
| Checkov | IaC Scanner | Terraform, Kubernetes policies | CI/CD |
| Clair | Container Scanner | Registry integration, API-driven | API |
name: Scan CDE Templates
on:
push:
paths: ['templates/**']
schedule:
- cron: '0 6 * * *' # Daily at 6 AM
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
scan-ref: 'templates/'
severity: 'CRITICAL,HIGH'
exit-code: '1'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Scan container images in templates
run: |
for dockerfile in templates/*/build/Dockerfile; do
trivy image --severity HIGH,CRITICAL \
--exit-code 1 \
$(grep "^FROM" $dockerfile | head -1 | awk '{print $2}')
done
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'CDE Patch Management
Structured approach to keeping workspace templates and running environments up to date.
Template Patching Strategy
Weekly Base Image Updates
Rebuild templates weekly with latest base images
Critical CVE Response
24-hour SLA for critical vulnerabilities
Staged Rollout
Dev -> Staging -> Prod template promotion
Developer Notification
Alert developers to recreate workspaces
Running Workspace Updates
Ephemeral by Default
Set workspace TTL to 24-48 hours for automatic refresh
Deprecation Notices
Notify users of outdated workspace versions
Force Recreation
Block workspaces older than max age (7-14 days)
In-Place Updates
Security-only apt/yum updates via startup scripts
Patch SLA Matrix
| Severity | CVSS Score | Template Update | Workspace Refresh | Communication |
|---|---|---|---|---|
| Critical | 9.0 - 10.0 | 24 hours | 48 hours (forced) | Immediate + Slack/Email |
| High | 7.0 - 8.9 | 72 hours | 7 days (reminder) | Daily digest |
| Medium | 4.0 - 6.9 | 7 days | Next workspace rebuild | Weekly report |
| Low | 0.1 - 3.9 | Next scheduled update | Natural refresh cycle | Monthly report |
Workspace Hardening Checklist
Security controls to implement in your CDE templates and runtime configuration.
Container Security
- Run as non-root user (UID 1000+)
- Drop all capabilities, add only needed
- Read-only root filesystem
- No privileged mode
- Seccomp/AppArmor profiles
Network Security
- Network policies (deny by default)
- Egress filtering to allowed domains
- mTLS for service communication
- No hostNetwork access
- Encrypted tunnel for remote access
Resource Limits
- CPU/Memory limits and requests
- Ephemeral storage limits
- PID limits per container
- ResourceQuotas per namespace
- LimitRanges for defaults
Access Control
- SSO/OIDC authentication
- RBAC with least privilege
- Session timeout (8 hours max)
- MFA required for access
- Audit logging enabled
Image Security
- Signed images only (Cosign/Notary)
- Private registry only
- No :latest tags in production
- SBOM generation for images
- Image pull secrets rotated
Data Protection
- Encrypted persistent volumes
- No sensitive data in env vars
- Workspace data wiped on delete
- PVC retention policies
- No code on local disk
Secrets Management in CDEs
Secure injection and management of credentials, API keys, and sensitive configuration.
Recommended Practices
-
External Secrets Operator
Sync secrets from Vault/AWS Secrets Manager to K8s
-
Short-lived credentials
Use OIDC federation for cloud access (no static keys)
-
Secrets mounted as files
More secure than environment variables
-
Per-user/per-workspace secrets
Inject user-specific credentials at workspace creation
-
Automatic rotation
Rotate secrets every 90 days minimum
Anti-Patterns to Avoid
-
Secrets in template code
Never hardcode credentials in Terraform/Dockerfiles
-
Shared service accounts
Each developer should have unique credentials
-
Long-lived API keys
Prefer temporary tokens with automatic expiration
-
Secrets in workspace backup
Exclude credential files from PVC snapshots
-
Secrets in Git history
Use pre-commit hooks to prevent accidental commits
# External Secrets for Vault integration
resource "kubernetes_manifest" "workspace_secrets" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "workspace-${data.coder_workspace.me.name}-secrets"
namespace = var.namespace
}
spec = {
refreshInterval = "1h"
secretStoreRef = {
name = "vault-backend"
kind = "ClusterSecretStore"
}
target = {
name = "workspace-secrets"
}
data = [
{
secretKey = "npm_token"
remoteRef = {
key = "secret/data/dev/${data.coder_workspace_owner.me.name}"
property = "npm_token"
}
},
{
secretKey = "github_token"
remoteRef = {
key = "secret/data/dev/${data.coder_workspace_owner.me.name}"
property = "github_token"
}
}
]
}
}
}
# Mount secrets in workspace pod
resource "kubernetes_pod" "workspace" {
# ... other config ...
spec {
container {
volume_mount {
name = "secrets"
mount_path = "/run/secrets"
read_only = true
}
}
volume {
name = "secrets"
secret {
secret_name = "workspace-secrets"
}
}
}
}Compliance & Audit Readiness
Ensure your CDE meets regulatory requirements with comprehensive audit trails and compliance controls.
CDE Compliance Requirements by Framework
| Control Area | SOC 2 | HITRUST | GDPR | FedRAMP |
|---|---|---|---|---|
| Access Control & MFA | ||||
| Audit Logging | ||||
| Encryption at Rest | ||||
| Vulnerability Scanning | ||||
| Data Retention Policy | ||||
| Incident Response |
Required Audit Events
Log Retention Requirements
Continue Your Security Journey
Explore related guides to build a comprehensive CDE security strategy.