Errors Troubleshooting in ImageScan Agent

The environment page of ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registries and KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters shows information about their agents' status.

Error Messages in Agent Status

The agent status can show these error messages:

Note - In the above examples, the default values for namespace and release-name are checkpoint and asset-mgmt, respectively.

Image Scan Status

The Scan Status of an image is shown on the Images page (Workload Protection > Container Assets > Images) and on the image details page.

See the table below for all statuses.

Scan Status Description Corrective Action

Scanned

The image is successfully scanned.

 

Pending Scan

  • The image awaits to be scheduled for a scan.

Applicable to Fargate images:

  • No matching image scans are found for the Fargate image.

 

Partial

Scan results are partial; the image will be scheduled for rescanning.

 

Unsupported OS

The image operating system is not supported (for example, Windows is not supported).

 

Unmatched

Applicable for ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. images:

No matching image scans were found for the ECS task image.

 

Not an image

An artifact found in the registry is not an image (for example, Helm chart).

 

Network Error

Unable to create a connection to scanning services, possibly because of a firewall or a proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

Unauthorized

Failed on one of these:

  1. Failed to authenticate with CloudGuard.

  2. Failed to authenticate with the container registry (for example, because of expired credentials).

  3. Failed to verify CloudGuard certificate, possibly because of the firewall/proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status.

Insufficient resources

  • The image is too large to be scanned.

    or

  • No space left on your host machine.

The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center.

If the image size is less than 20 GB, examine the space left on your cluster machine.

Timeout

Timeout on pulling the image to be scanned.

Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables.

See the Central Agent Environment Variables section in Image Assurance Troubleshooting.

Internal Error

An unknown error has occurred.

The image will be rescheduled for a scan.

  • Review the imagescan-engine logs, identify the engine container reporting errors and the node running it.

  • Examine the container metrics. If it reaches memory limits, increase the limits. If the node’s memory utilization is high, increase the number of memory requests of the container.

  • Examine the free disk space of the node. For ECS scanning environments, examine the ephemeral storage of the task (the default is 20 GB).

If the problem continues, contact Check Point Support Center.

More Links