Image Assurance
CloudGuard Image Assurance analyzes container images for vulnerabilities at each stage of their life cycle to make sure they meet your organizational policies.
The Image Assurance agents continuously check Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters and registries to scan the discovered container images. If an agent identifies an unknown image, it scans and analyzes the image for vulnerabilities, exploits, malware, viruses, trojans, credential leakage, and other malicious threats. In the Kubernetes clusters, only images of the running workloads are scanned.
CloudGuard Workload Protection - Image Assurance
Before you can see Vulnerabilities, you must onboard your Kubernetes cluster or AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account to CloudGuard. See Onboarding Kubernetes Clusters and Onboarding AWS Environments.
How Image Assurance Works
What to scan |
How to scan |
Prerequisites |
---|---|---|
Kubernetes clusters |
Deploy Image Assurance on the Kubernetes cluster |
Onboard a Kubernetes cluster |
Deploy Image Assurance on a hosting Kubernetes cluster |
Onboard a Kubernetes cluster |
|
Use a CloudFormation Template to deploy the ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner resources on your AWS account |
Onboard an AWS account |
|
AWS ECS tasks container images |
Deploy Image Assurance on a hosting Kubernetes node and scan the ECR that hosts container images used in the applicable ECS cluster |
Onboard a Kubernetes cluster Onboard the related ECR |
Use a CloudFormation Template to deploy the ECS scanner resources on your AWS account and scan the ECR that hosts container images used in the applicable ECS cluster |
Onboard an AWS account Onboard the related ECR |
Resources
Image Assurance scanner uses these resources:
-
ImageScan List - A single-replica Deployment that sends CloudGuard container image lists. The lists are collected from the image-scan-daemon pods and from the connected Container registries.
-
ImageScan Engine - A single-replica Deployment that analyzes and scans container images. The agent sends CloudGuard the necessary information to complete the scan. For more information about the agent's version, see Agent Version Life Cycle.
-
ImageScan Daemon (for Kubernetes images only) - A DaemonSet that provides a list of local images (on each node) and the content of the requested images.
CPU
When the ImageScan Engine pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. scans images, it can consume more than one CPU. In a stable state, when only new images are scanned most of the time, the Engine pod consumes a very low CPU.
Reduction of the values of the requests and limits for CPU can have an opposite effect on the scan time.
Supported Packages
Image Assurance and the CI/CD tool support these types of packages:
-
Distro package managers (Alpine, Debian, Ubuntu, RHEL, and CentOS)
-
.Net languages (C#, C++, F#, VB)
-
Node.js packages
-
Python packages (requirments.txt)
-
Ruby gems
-
Java artifacts (JAR files)
-
Go packages
Image Assurance Findings
CloudGuard creates Image Assurance findings for Container images based on the assigned policy.
CloudGuard automatically creates a policy with a default Image Assurance ruleset for applicable clusters. If the default policy is sufficient, no more actions are necessary. If the onboarded environments is part of an Organizational Unit with an Image Assurance policy, no default policy is associated with the environment.
To see the findings in the CloudGuard portal:
-
Navigate to Workload Protection > Containers Assets > Images.
-
Select an image. Use Environment, Asset Type, or other criteria to filter images.
-
Go to the Posture Findings tab. Make sure you set the period selector to All to see all findings for the image.
-
To see the findings on the Alerts Console, click Show in alerts page.
To see the vulnerability findings for all clusters and images in the account, navigate to Workload Protection > Vulnerabilities > Findings.
CloudGuard creates the findings when it scans the image for the first time. Afterward, the CloudGuard portal checks it (one time) in several hours for changes or newly discovered vulnerabilities.
To see findings for your AWS ECS images, use the filter for the AWS Platform and AwsEcsImage Entity Type. In addition, see the vulnerabilities in the AWS ECS image object.
On this page, use the Filter and Search toolbar to select parameters to filter out from the Findings table.
Use these preconfigured filters:
-
Environment or OU - Select one or more cluster environments or organizational units.
-
Severity - Select from the available alert severity objects.
-
Ruleset - Select from the available rulesets.
To see the workloads that use vulnerable images:
-
Navigate to Workload Protection > Vulnerabilities > Findings.
-
Select one of the findings. On the right, the entity card shows information about the image.
-
Click the image link. CloudGuard redirects you to the asset page of the image.
-
The Overview page shows workloads that contain this image. For more information about Overview, see Asset Details.
Categories of Findings
Image Assurance finds different types of findings grouped in the categories:
-
CVE - Common Vulnerabilities and Exposures
-
MaliciousURL
-
MaliciousIP - For more details, see Malicious IP Classification
-
MaliciousFile - Malware
-
InsecureCode
-
InsecureContent - Credential leakage
Note - This feature is in Early Availability.
-
ImageScan - Indicates that the number of issues or severity of the issues found on an image exceeds a preconfigured threshold. See Image Scan Findings
-
Package - Package license, package info, and CVEs
Details of Findings
The fields in Image Assurance findings are almost the same as other findings fields in the Entity Card.
Fields for Kubernetes images:
-
Title - The specific ID or type for which the finding is created based on the finding category.
-
ImageScan findings have the title with the name of the image
-
Common Vulnerabilities and Exposures (CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.) findings have the title with the CVE ID
-
-
Description - The issue description, for example, the CVE description as it appears in the National Vulnerability Database (NVD).
-
Environment - The Kubernetes cluster that contains the image with the finding.
More Links