Image Scan Findings

CloudGuard creates Image Assurance findings for KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. images based on the assigned policy.

The findings of the ImageScan category include events related to CVEs, packages, sensitive data, and malware. For them, you can receive an email (or other notification) that contains aggregated information about all these findings.

To do this, create a new Image Assurance policy in three steps:

  1. Create a new ruleset.

  2. Create a new notification.

  3. Configure a new policy.

  1. Navigate to Workload Protection > Vulnerabilities > Rulesets.

  2. Click Add Ruleset.

  3. Enter a distinctive name, for example, Aggregated-ImageScan, and a description for the ruleset.

  4. Click Create. CloudGuard creates and opens a new ruleset.

  5. Click New Rule to open the rule editor page.

  6. Click the GSL text box to open the GSL Rule Editor.

  7. Write a rule that contains a criterion for sending a notification, for example, the number of critical- or high-severity findings.

    Best Practice - For this ruleset, you can create only one rule to trigger sending you only one finding that aggregates all information about the image vulnerabilities. This includes all vulnerability statistics and remediation actions that you can do to mitigate the risks. Make sure to use ImageScan as a rule target.

  8. Click Verify to verify the rule.

  9. Click Done.

  10. Enter or update other available fields (Title, Description, etc.).

  11. Click Save to save the new rule.

Examples

The default CloudGuard rulesets Container Image Assurance and Container Image Assurance 1.0 contain an ImageScan rule that you can use as an example.

  1. This rule triggers sending a notification when the scan results have at least one critical vulnerability.

    ImageScan should not have totals.critical > 0

  2. This (default) rule triggers sending a notification when the scan results have at least one critical vulnerability or no less than 10 high severity vulnerabilities.

    ImageScan should not have (totals.critical > or totals.high > 10)

  3. This rule triggers a notification when the scan results of a specific image (repo:tag) have risk score higher than 8.

    ImageScan where repo-url='quay.io/checkpoint' and repo-tag='consec-imagescan-engine:2.21.0' should not have risk-score > 8

  1. Navigate to Settings > Configuration > Notifications. menu. This shows a list of all your Notifications.

  2. Configure a new notification as in How to Configure a Notification.

  3. In the Add Filter area, select ImageScan as a Category. This enables sending notifications only for the ImageScan findings.

    If the ImageScan category is not available, see Limitations.

  1. Navigate to Workload Protection > Vulnerabilities > Policies.

  2. Click Add Policy.

  3. Select Environment Policy.

  4. Select the Kubernetes platform.

  5. Click Next.

  6. Select a cluster to apply the policy.

  7. Click Next.

  8. Select the ruleset that you created in Step 1.

  9. Enable Admission Control (Image Admission) in Detection or Prevention mode. For more details, see Image Admission.

  10. Select the notification that you created in Step 2.

  11. Click Save.

Viewing ImageScan Findings

  1. Navigate to Workload Protection > Vulnerabilities > Findings.

  2. Filter the view by Category : ImageScan. Click an applicable finding.

    If the ImageScan category is not available, see Limitations.

  3. The finding overview contains information about the image risk score, statistics of findings by severity, and the aggregated remediation (click Show more to see it). Full information is available in JSONClosed JavaScript Object Notation. A lightweight data interchange format. format through the configured notification.

    Note - In the finding notification, the description and remediation appear separately for the rule and for the ImageScan entity. In the ImageScan entity, CloudGuard generates the finding information:

    • For remediation, it creates an aggregated remediation from all applicable vulnerabilities.

    • For description, it aggregates data with all statistics of the image vulnerabilities.

    In Jira notifications only, the generated data concatenate with the values of Description and Remediation configured in the rule.

  4. The finding description is available as a tooltip when you put the cursor on the finding row and the Description column in the findings table.

Limitations

  • Sometimes, the ImageScan category is not available in the filter when you create a notification. This happens with newly onboarded environments where CloudGuard has not finished yet to scan images for the first time. Wait approximately 5-10 minutes to let it finish and try again.

  • The remediation length is limited to 25,600 symbols. The remediation that exceeds this length is truncated to 25,600 symbols.

More Links