Image Assurance

CloudGuard Image Assurance analyzes KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. images at each stage of their life cycle to make sure they are clean.

The Image Assurance agents continuously check clusters and registries for all images. If an agent identifies an unknown image, it scans and analyzes the image to find vulnerabilities, exploits, malware, viruses, trojans, credential leakage, and other malicious threats.

Before you can use Image Assurance, you must onboard your Kubernetes cluster to CloudGuard. See Onboarding Kubernetes Clusters.

Architecture

Image Assurance uses these resources:

  • ImageScan Engine - A single-replica Deployment that analyzes and scans the agent on the local machine. The agent sends CloudGuard the necessary information to complete the scan.

  • ImageScan Daemon - A DaemonSet that scans local (on each node) or remote registries.

CPU

When the ImageScan engine podClosed The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. scans images, it can consume more than one CPU. In a stable state, when only new images are scanned most of the time, the engine pod consumes a very low CPU. When there are no new images to scan, the CPU is required to, at intervals, send the image list to the daemon agent and the CloudGuard backend servers.

Reduction of the values of the requests and limits for CPU can have an opposite effect on the scan time.

Supported Packages

Image Assurance and ShiftLeftClosed The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. support these types of packages:

  • Distro package managers (Alpine, Debian, Ubuntu, RHEL, and CentOS)

  • .Net languages (C#, C++, F#, VB)

  • Node.js packages

  • Python packages (requirments.txt)

  • Ruby gems

  • Java artifacts (JAR files)

  • Go packages

Azure Container Registries Scanning

The Image Assurance agents deployed on a cluster can scan new images as they appear, on this cluster and the connected ACRClosed Azure Container Registry allows you to build, store, and manage container images and artifacts in a private registry for all types of container deployments. container registry. When you onboard a new container registry, you must connect it to a Kubernetes environment with Image Assurance enabled.

Note - Registry scanning requires Image Assurance agent version 2.10.0 or higher included in the CloudGuard HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart version 2.11.1 or higher. See Upgrading the Agent for more information.

AWS ECS Scanning

To launch containers, Amazon ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. uses DockerClosed Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. images in task definitions. The Docker images are commonly hosted in AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. ECRClosed Amazon Elastic Container Registry (ECR) - a fully managed Docker container registry to store, share, and deploy container images. registries. CloudGuard provides scanning results for the AWS ECS Docker images based on the inventory information of the onboarded AWS environment and ECR scanning. Installation of CloudGuard agents in the AWS ECS clusters is not necessary.

Prerequisites

Before you start, make sure to:

To see the results of scanning, in CloudGuard, navigate to Workload Protection > Assets > Images. For more details, see Workload Images.

Known Limitations

  • The number of images fetched for a scan in each repository in the container registry is limited. The default value is 10. To change the value, use this API call:

    PATCH /v2/containerRegistry/account/{registry-id}/settings

    For more information, see the API Reference Guide.

  • The maximum number of container registry images is 45K. The number of images is for the images to be scanned considering the limitation of the number of images for each repository.

  • CloudGuard shows only those images that reside in private ECR or GCR registries onboarded to CloudGuard. This happens because AWS provides image digest information only for such images, which allows the CloudGuard engine to inherit vulnerability scanning results from images scanned in ECR.

  • To receive scanning results, ECS images must be onboarded in the same CloudGuard account as the ACR/Private ECR that scans them.

  • Scanning of Windows container images is not available.

  • CloudGuard creates ECS images only for running tasks.

Troubleshooting

Error

Corrective Actions

Failed to create registry worker

  1. Make sure you created the pull secret in the same namespace where the CloudGuard agents are located.

  2. Make sure you gave the same secret name on the onboarding wizard page.

Failed to authenticate

  1. Make sure the AWS access key and secret key are configured correctly as in the AWS AccessKey or SecretKey section of AWS Elastic Container Registry (ECR).

  2. Make sure the Access Key / Secret Key is correct.

  3. Make sure the AWS account ID appears correctly in the Registry URI.

Image Assurance Findings

CloudGuard creates Image Assurance findings for Kubernetes images based on the assigned policy.

CloudGuard automatically adds a default Image Assurance policy and rulesets for applicable clusters. If the default policy is sufficient, no more actions are necessary.

Finding Categories

Image Assurance finds different types of findings grouped in the categories:

  • MaliciousIP - For more details, see Malicious IP Classification

  • MaliciousFile - Malware

  • InsecureCode

  • InsecureContent - Credential Leakage

  • ImageScan - Indicates that the number of issues or severity of the issues found on an image exceeds a preconfigured threshold

  • Package - Package license, package info, and CVEs

Finding Fields

The fields in Image Assurance findings are almost the same as other findings fields in the Entity Card.

Fields for Kubernetes images:

More Links