Images

To see your workload images, you must onboard the environment that contains these images to CloudGuard. See Onboarding Cloud Environments to onboard your environment.

CloudGuard supports images built with DockerClosed Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers., OCIClosed Oracle Cloud Infrastructure - cloud computing platform offered by Oracle Corporation., and Kaniko.

When you enable Image Assurance on your cloud environments, you can see all the images that run on these environments and their scan status on Workload Protection > Containers Assets > Images. CloudGuard does not show images that have not been run on an onboarded workload. CloudGuard considers a KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. or ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. image running when a workload with this image is running in the relevant Kubernetes or ECS environment. CloudGuard considers a Container RegistryClosed A collection of repositories used to store and access container images. or ShiftLeftClosed The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. image running, when it is running in some Kubernetes or ECS environment in the tenant.

After onboarding, the images start to appear on the page with the Scanned scan status. In addition to the regular scans, you can schedule on-demand scanning of Kubernetes and ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry images whose status is other than Scanned.

Scanning Time Frames

Scanning time frames can be different:

  • After onboarding, CloudGuard shows the list of discovered Kubernetes images. Because scan results are shared between environments, some images can already be scanned in other Kubernetes or Container Registry environments, so they appear first on the Images page.

  • Kubernetes images are scanned gradually. The first scanned images are shown several minutes after they appear in the portal.

  • New images added to the registry take up to 12 hours to be scanned, based on the registry configuration. The scan period is configurable on the container registry page.

  • For images, the on-demand scanning request schedules the image for scanning in several minutes with priority over other regular images. Actual scanning can start later if multiple images are prioritized.

  • For environments, the on-demand scanning request schedules their images for scanning within several minutes.

Image Parameters

Use the Asset Type filter to show available images by group:

  • Container Registry image

  • Kubernetes image

  • ShiftLeft image

The Images page allows you to see immediately the vulnerability level and risk score of the scanned images:

Click the image name to see more details about its status, properties, and posture findings.

Image Scan Status

See the table below for all statuses.

Scan Status Description Corrective Action

Scanned

The image is successfully scanned.

 

Pending Scan

  • The image awaits to be scheduled for a scan.

Applicable to Fargate images:

  • No matching image scans are found for the Fargate image.

 

Partial

Scan results are partial; the image will be scheduled for rescanning.

 

Unsupported OS

The image operating system is not supported (for example, Windows is not supported).

 

Unmatched

Applicable for ECS images:

No matching image scans were found for the ECS task image.

 

Not an image

An artifact found in the registry is not an image (for example, HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart).

 

Network Error

Unable to create a connection to scanning services, possibly because of a firewall or a proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

Unauthorized

Failed on one of these:

  1. Failed to authenticate with CloudGuard.

  2. Failed to authenticate with the container registry (for example, because of expired credentials).

  3. Failed to verify CloudGuard certificate, possibly because of the firewall/proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status.

Insufficient resources

  • The image is too large to be scanned.

    or

  • No space left on your host machine.

The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center.

If the image size is less than 20 GB, examine the space left on your cluster machine.

Timeout

Timeout on pulling the image to be scanned.

Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables.

See the Central Agent Environment Variables section in Image Assurance Troubleshooting.

Internal Error

An unknown error has occurred.

The image will be rescheduled for a scan.

  • Review the imagescan-engine logs, identify the engine container reporting errors and the node running it.

  • Examine the container metrics. If it reaches memory limits, increase the limits. If the node’s memory utilization is high, increase the number of memory requests of the container.

  • Examine the free disk space of the node. For ECS scanning environments, examine the ephemeral storage of the task (the default is 20 GB).

If the problem continues, contact Check Point Support Center.

Inactive Images

CloudGuard deletes inactive images in a specific period.

  • Kubernetes Images - CloudGuard considers a Kubernetes image inactive if none of its corresponding workloads are running. You can set the period after which CloudGuard deletes inactive images (by default, 7 days).

  • Container Registry Images - A container registry image is live (active) if at least one Kubernetes container corresponding to this image is running in your CloudGuard account. CloudGuard deletes inactive container registry images during the 24 hours (not immediately) after they were deleted from the registry. You cannot set the period for the deletion of these images.

  • ShiftLeft Images - CloudGuard considers a ShiftLeft image inactive if none of its corresponding workloads are running. You can set the period for the image deletion after the last scanning of this image (by default, 30 days).

You can set the lifetime for inactive Kubernetes and ShiftLeft images in the Workloads Settings.

On-Demand Image Scanning

In addition to the regular scans, you can schedule on-demand scanning of these:

Inactive (non-running) images cannot be requested for scan:

  • If an environment is requested for scan, its inactive images are not considered.

  • If an image is requested for scan, the scanning process is not triggered.

Scanning Failed Images

This process starts the scanning of all images in an environment that are not in the Scanned status.

To start the image scan on demand:

  1. Navigate to Assets > Environments and select a cluster or a container registry.

  2. Click to open the environment page.

  3. Click Retry Failed Scans.

Scanning Individual Images

This process schedules an image for scanning regardless of its status.

To start the image scan on demand, do one of these:

  • On the image level:

    1. Navigate to Workload Protection > Containers Assets > Images and select an image.

    2. Click Request Scan.

  • Or on the environment level:

    1. Navigate to Assets > Environments and select a cluster or a container registry.

    2. Click to open the environment page.

    3. Open the Images tab.

    4. In the image row, see its Scan Status, then click the menu and select Request Scan.

For on-demand image scanning with API, see Workload Image Assurance in the API Reference Guide.

Limitations

  • Images used by short-lived pods may not be visible to Image Assurance.

  • The Request Scan usage is limited to 200 requests in an hour.

  • Requests for a scan of inactive images are not available.

  • On-demand scanning is not supported for ShiftLeft images and environments.