Image Assurance

CloudGuard Image Assurance analyzes container images for vulnerabilities at each stage of their life cycle to make sure they meet your organizational policies.

The Image Assurance agents continuously check Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters and registries to scan the discovered container images. If an agent identifies an unknown image, it scans and analyzes the image for vulnerabilities, exploits, malware, viruses, trojans, credential leakage, and other malicious threats. In the Kubernetes clusters, only images of the running workloads are scanned.

CloudGuard Workload Protection - Image Assurance

Before you can see Vulnerabilities, you must onboard your Kubernetes cluster or AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account to CloudGuard. See Onboarding Kubernetes Clusters and Onboarding AWS Environments.

How Image Assurance Works

What to scan	How to scan	Prerequisites
Kubernetes clusters	Deploy Image Assurance on the Kubernetes cluster	Onboard a Kubernetes cluster
Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. registry	Deploy Image Assurance on a hosting Kubernetes cluster	Onboard a Kubernetes cluster
	Use a CloudFormation Template to deploy the ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner resources on your AWS account	Onboard an AWS account
AWS ECS tasks container images	Deploy Image Assurance on a hosting Kubernetes node and scan the ECR that hosts container images used in the applicable ECS cluster	Onboard a Kubernetes cluster Onboard the related ECR
	Use a CloudFormation Template to deploy the ECS scanner resources on your AWS account and scan the ECR that hosts container images used in the applicable ECS cluster	Onboard an AWS account Onboard the related ECR

Resources

Image Assurance scanner uses these resources:

• ImageScan List - A single-replica Deployment that sends CloudGuard container image lists. The lists are collected from the image-scan-daemon pods and from the connected Container registries.

• ImageScan Engine - A single-replica Deployment that analyzes and scans container images. The agent sends CloudGuard the necessary information to complete the scan. For more information about the agent's version, see Agent Version Life Cycle.

• ImageScan Daemon (for Kubernetes images only) - A DaemonSet that provides a list of local images (on each node) and the content of the requested images.

CPU

When the ImageScan Engine pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. scans images, it can consume more than one CPU. In a stable state, when only new images are scanned most of the time, the Engine pod consumes a very low CPU.

Reduction of the values of the requests and limits for CPU can have an opposite effect on the scan time.

Supported Packages

Image Assurance and the CI/CD tool support these types of packages:

• Distro package managers (Alpine, Debian, Ubuntu, RHEL, and CentOS)

• .Net languages (C#, C++, F#, VB)

• Node.js packages

• Python packages (requirments.txt)

• Ruby gems

• Java artifacts (JAR files)

• Go packages

Image Assurance Findings

CloudGuard creates Image Assurance findings for Container images based on the assigned policy.

CloudGuard automatically creates a policy with a default Image Assurance ruleset for applicable clusters. If the default policy is sufficient, no more actions are necessary. If the onboarded environments is part of an Organizational Unit with an Image Assurance policy, no default policy is associated with the environment.

Categories of Findings

Image Assurance finds different types of findings grouped in the categories:

• CVE - Common Vulnerabilities and Exposures

• MaliciousURL

• MaliciousIP - For more details, see Malicious IP Classification

• MaliciousFile - Malware

• InsecureCode

• InsecureContent - Credential leakage

  Note - This feature is in Early Availability.

• ImageScan - Indicates that the number of issues or severity of the issues found on an image exceeds a preconfigured threshold. See Image Scan Findings

• Package - Package license, package info, and CVEs

Details of Findings

The fields in Image Assurance findings are almost the same as other findings fields in the Entity Card.

Fields for Kubernetes images:

• Title - The specific ID or type for which the finding is created based on the finding category.

  • ImageScan findings have the title with the name of the image

  • Common Vulnerabilities and Exposures (CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.) findings have the title with the CVE ID

• Description - The issue description, for example, the CVE description as it appears in the National Vulnerability Database (NVD).

• Environment - The Kubernetes cluster that contains the image with the finding.

More Links

• Kubernetes Containers

• Image Assurance Policy

• Image Assurance Troubleshooting

• Image Scan Findings

• Images

• Image Admission

• Container Registry Scanning