Images
To see your workload images, you must onboard the environment that contains these images to CloudGuard. See Onboarding Cloud Environments to onboard your environment.
CloudGuard supports images built with Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers., OCI Oracle Cloud Infrastructure - cloud computing platform offered by Oracle Corporation., and Kaniko.
When you enable Image Assurance on your cloud environments, you can see all the images that run on these environments and their scan status on Workload Protection > Containers Assets > Images. CloudGuard does not show images that have not been run on an onboarded workload. CloudGuard considers a Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. or ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. image running when a workload with this image is running in the relevant Kubernetes or ECS environment. CloudGuard considers a Container Registry A collection of repositories used to store and access container images. or ShiftLeft The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. image running, when it is running in some Kubernetes or ECS environment in the tenant.
After onboarding, the images start to appear on the page with the Scanned scan status. In addition to the regular scans, you can schedule on-demand scanning of Kubernetes and Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry images whose status is other than Scanned.
Scanning Time Frames
Scanning time frames can be different:
-
After onboarding, CloudGuard shows the list of discovered Kubernetes images. Because scan results are shared between environments, some images can already be scanned in other Kubernetes or Container Registry environments, so they appear first on the Images page.
-
Kubernetes images are scanned gradually. The first scanned images are shown several minutes after they appear in the portal.
-
New images added to the registry take up to 12 hours to be scanned, based on the registry configuration. The scan period is configurable on the container registry page.
-
For images, the on-demand scanning request schedules the image for scanning in several minutes with priority over other regular images. Actual scanning can start later if multiple images are prioritized.
-
For environments, the on-demand scanning request schedules their images for scanning within several minutes.
Image Parameters
Use the Asset Type filter to show available images by group:
-
Container Registry image
-
Kubernetes image
-
ShiftLeft image
The Images page allows you to see immediately the vulnerability level and risk score of the scanned images:
-
Risk - Image risk score from 0 to 10 based on the Common Vulnerability Scoring System (CVSS The Common Vulnerability Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS indicates the severity of an information security vulnerability and is an integral component of many vulnerability scanning tools).
-
Registry - Registry that stores this image.
-
Is Running - Green indicates images corresponding with currently running workloads. Grey indicates inactive images.
-
CVEs - Summary of the CVEs by severity.
-
Scan Status - See Image Scan Status.
-
Last Running Date - Indicates when a related workload was last seen running. An empty cell means that a related workload has not been seen.
Click the image name to see more details about its status, properties, and posture findings.
Image Scan Status
See the table below for all statuses.
Scan Status | Description | Corrective Action |
---|---|---|
Scanned |
The image is successfully scanned. |
|
Pending Scan |
Applicable to Fargate images:
|
|
Partial |
Scan results are partial; the image will be scheduled for rescanning. |
|
Unsupported OS |
The image operating system is not supported (for example, Windows is not supported). |
|
Unmatched |
Applicable for ECS images: No matching image scans were found for the ECS task image. |
|
Not an image |
An artifact found in the registry is not an image (for example, Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart). |
|
Network Error |
Unable to create a connection to scanning services, possibly because of a firewall or a proxy. |
Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers. |
Unauthorized |
Failed on one of these:
|
Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers. If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status. |
Insufficient resources |
|
The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center. If the image size is less than 20 GB, examine the space left on your cluster machine. |
Timeout |
Timeout on pulling the image to be scanned. |
Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables. See the Central Agent Environment Variables section in Image Assurance Troubleshooting. |
Internal Error |
An unknown error has occurred. The image will be rescheduled for a scan. |
If the problem continues, contact Check Point Support Center. |
Inactive Images
CloudGuard deletes inactive images in a specific period.
-
Kubernetes Images - CloudGuard considers a Kubernetes image inactive if none of its corresponding workloads are running. You can set the period after which CloudGuard deletes inactive images (by default, 7 days).
-
Container Registry Images - A container registry image is live (active) if at least one Kubernetes container corresponding to this image is running in your CloudGuard account. CloudGuard deletes inactive container registry images during the 24 hours (not immediately) after they were deleted from the registry. You cannot set the period for the deletion of these images.
-
ShiftLeft Images - CloudGuard considers a ShiftLeft image inactive if none of its corresponding workloads are running. You can set the period for the image deletion after the last scanning of this image (by default, 30 days).
You can set the lifetime for inactive Kubernetes and ShiftLeft images in the Workloads Settings.
On-Demand Image Scanning
In addition to the regular scans, you can schedule on-demand scanning of these:
-
Kubernetes environments and images
-
Container Registry environments and images
-
AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments and images
Inactive (non-running) images cannot be requested for scan:
-
If an environment is requested for scan, its inactive images are not considered.
-
If an image is requested for scan, the scanning process is not triggered.
Scanning Failed Images
This process starts the scanning of all images in an environment that are not in the Scanned status.
To start the image scan on demand:
-
Navigate to Assets > Environments and select a cluster or a container registry.
-
Click to open the environment page.
-
Click Retry Failed Scans.
Scanning Individual Images
This process schedules an image for scanning regardless of its status.
To start the image scan on demand, do one of these:
-
On the image level:
-
Navigate to Workload Protection > Containers Assets > Images and select an image.
-
Click Request Scan.
-
-
Or on the environment level:
-
Navigate to Assets > Environments and select a cluster or a container registry.
-
Click to open the environment page.
-
Open the Images tab.
-
In the image row, see its Scan Status, then click the menu and select Request Scan.
-
For on-demand image scanning with API, see Workload Image Assurance in the API Reference Guide.
Limitations
-
Images used by short-lived pods may not be visible to Image Assurance.
-
The Request Scan usage is limited to 200 requests in an hour.
-
Requests for a scan of inactive images are not available.
-
On-demand scanning is not supported for ShiftLeft images and environments.