Images

To see your workload images, you must onboard the environment that contains these images to CloudGuard. See Onboarding Cloud Environments to onboard your environment.

CloudGuard supports images built with DockerClosed Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers., OCIClosed Oracle Cloud Infrastructure - cloud computing platform offered by Oracle Corporation., and Kaniko.

When you enable Image Assurance on your cloud environments, you can see all the images that run on these environments and their scan status on Workload Protection > Containers Assets > Images. CloudGuard does not show images that have not been run on an onboarded workload. CloudGuard considers a KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. or ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. image running when a workload with this image is running in the relevant Kubernetes or ECS environment. CloudGuard considers a Container RegistryClosed A collection of repositories used to store and access container images. or ShiftLeftClosed The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. image running, when it is running in some Kubernetes or ECS environment in the tenant.

After onboarding, the images start to appear on the page with the Scanned scan status. In addition to the regular scans, you can schedule on-demand scanning of Kubernetes and ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry images whose status is other than Scanned.

Scanning Time Frames

Scanning time frames can be different:

  • After onboarding, CloudGuard shows the list of discovered Kubernetes images. Because scan results are shared between environments, some images can already be scanned in other Kubernetes or Container Registry environments, so they appear first on the Images page.

  • Kubernetes images are scanned gradually. The first scanned images are shown several minutes after they appear in the portal.

  • New images added to the registry take up to 12 hours to be scanned, based on the registry configuration. The scan period is configurable on the container registry page.

  • For images, the on-demand scanning request schedules the image for scanning in several minutes with priority over other regular images. Actual scanning can start later if multiple images are prioritized.

  • For environments, the on-demand scanning request schedules their images for scanning within several minutes.

Image Parameters

Use the Asset Type filter to show available images by group:

  • Container Registry image

  • Kubernetes image

  • ShiftLeft image

The Images page allows you to see immediately the vulnerability level and risk score of the scanned images:

Click the image name to see more details about its status, properties, and posture findings.

Base Image

While scanning your workloads, CloudGuard sends notifications about all findings: CVEs, secrets, or other vulnerabilities. If you want to focus only on the findings relevant to remediate, you can exclude vulnerabilities inherited from the base image. For example, if you build your image on an Ubuntu image, you can create a rule that excludes the base image vulnerabilities from your findings and see only those findings created by your dependencies.

In CloudGuard, the base image is an entity that was used as a basis to create your images or other base images. When you decide which images to mark as base images, select those extended by other images in use.

Important - The base image feature requires upgrading your Image Assurance agent to version 2.37 or higher.

Base Image Repository

Best Practice - Check Point recommends to set up a separate repository for base images that you use. CloudGuard automatically recognizes all images added to the repository as base images.

To set a repository as a Base Image repository, create a Base Image rule.

To create a Base Image Rule:

  1. Navigate to Workload Protection > Container Assets > Images and open your image.

  2. On the top right, click the menu and select Add Base Image rule.

    Or you can open Workload Protection > Vulnerabilities > Base Image Rules and click Add.

  3. In the Add Base Image rule window, enter the details:

    1. Name (mandatory) - Enter a distinctive name for the rule, for example, My Org Nginx Rule.

    2. Registry Environment (mandatory) - Select one or more container registries where you apply the rule.

    3. Repository (mandatory) - Enter a repository to contain the base images. For example, if your image URL is myrepo.com/this/is/my/imageName:11,

      1. registry - myrepo.com

      2. repository - this/is/my/imageName

      3. tag - 11

    4. Description

  4. Click Save.

The image located in the repository obtains the Base Image indication in its details, and, in the Entity Viewer, the image belongs to the BaseImage group.

Images extended from the base image have the indication in the asset details that they are Based On the base image, with a link to the base image. The link opens the Images page filtered by the base image's SHA256, which shows all its copies in this account.

Important - An image set as a base image is considered as such in all environments (for example, container registries, clusters, or ShiftLeft environments) onboarded to the CloudGuard account.

To sort out base image vulnerabilities:

  1. Navigate to Workload Protection > Container Assets > Images and open your image.

  2. Go to the Vulnerabilities tab. It shows the list of the found CVEs.

  3. Group the CVEs by Base image.

    • The CVEs in the Base image group are found in the packages installed on the base image.

    • The CVEs in another group are found in the packages installed only on your image, so you can remediate them.

  4. Go to the Threats or Secrets tab. In the same manner, sort out the threats and secrets that come from the base image or from the resources in your image.

CloudGuard scans only the latest (most recently used) images from the repository. On the asset page, you can configure the maximum number of these images for each base repository. For more details, see Configuring Scanning of Registries.

Posture Findings

You can create a policy that allows you to see only those findings that are found in your image but not in the base image. For this, create a rule that excludes all findings originated in the base image. Use the entity property called baseImages.

The rule is triggered when the package has CVEs with High severity level and while it originates not in the base image.

Package where baseImages isEmpty() should not have cves contain-any [severity='High']

Vendor Image

Similar to the base images, CloudGuard indicates vendor images. These images are created and maintained by cloud vendors, such as AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., or Google Cloud Platform, so you can exclude findings related to these images. CloudGuard regularly updates the list of vendor images. If a vendor image is missing in the image list, contact Check Point Support.

Posture Findings

You can create a policy that allows you not to include those findings that are found in the vendor image. For this, create a rule that excludes all findings originated in the vendor image. Use the entity property called imageGroups under scannedAssets.

The rule is triggered when the package has CVEs with High severity level and while it does not originate in the vendor image.

Package where scannedAsset.imageGroups contain-none [name='Vendor Image'] should not have cves contain-any [severity='High']

Layers

CloudGuard shows the layers that comprise the image. The layers are ordered based on their creation date. When CloudGuard discovers a vulnerability, it can show at which layer the vulnerability was introduced and present the summary of all layer commands. You can filter the layers by Layer ID or by Layer Command. To learn more details, click the Layers panel and open the Vulnerabilities tab.

The Vulnerabilities page shows the image vulnerabilities (CVEs and Threats) grouped by the layers and sorted by severity from Critical to Low. For example, see CVEClosed The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. statistics for each layer and then expand it to see the CVEs found in this layer.

This example shows how to resolve the image vulnerability:

  1. Open the image Overview and review the image Layers.

  2. Notice at which layer the vulnerability entered the image and see its layer command.

  3. Navigate to the Vulnerabilities page. The CVEs are arranged by the Layer Command.

  4. Expand the layer command to see all CVEs found.

  5. Open the CVE that you want to resolve, for example, one of the critical severity, and find its Remediation.

  6. Upgrade the package to the recommended version.

After the upgrade, the image has a new layer where the relevant vulnerabilities are resolved.

Image Scan Status

See the table below for all statuses.

Scan Status Description Corrective Action

Scanned

The image is successfully scanned.

 

Pending Scan

  • The image awaits to be scheduled for a scan.

Applicable to Fargate images:

  • No matching image scans are found for the Fargate image.

 

Partial

Scan results are partial; the image will be scheduled for rescanning.

 

Unsupported OS

The image operating system is not supported (for example, Windows is not supported).

 

Unmatched

Applicable for ECS images:

No matching image scans were found for the ECS task image.

 

Not an image

An artifact found in the registry is not an image (for example, HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart).

 

Network Error

Unable to create a connection to scanning services, possibly because of a firewall or a proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

Unauthorized

Failed on one of these:

  1. Failed to authenticate with CloudGuard.

  2. Failed to authenticate with the container registry (for example, because of expired credentials).

  3. Failed to verify CloudGuard certificate, possibly because of the firewall/proxy.

Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs.

See the Connectivity Requirements section in Kubernetes Containers.

If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status.

Insufficient resources

  • The image is too large to be scanned.

    or

  • No space left on your host machine.

The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center.

If the image size is less than 20 GB, examine the space left on your cluster machine.

Timeout

Timeout on pulling the image to be scanned.

Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables.

See the Central Agent Environment Variables section in Image Assurance Troubleshooting.

Internal Error

An unknown error has occurred.

The image will be rescheduled for a scan.

  • Review the imagescan-engine logs, identify the engine container reporting errors and the node running it.

  • Examine the container metrics. If it reaches memory limits, increase the limits. If the node’s memory utilization is high, increase the number of memory requests of the container.

  • Examine the free disk space of the node. For ECS scanning environments, examine the ephemeral storage of the task (the default is 20 GB).

If the problem continues, contact Check Point Support Center.

Inactive Images

CloudGuard deletes inactive images in a specific period.

  • Kubernetes Images - CloudGuard considers a Kubernetes image inactive if none of its corresponding workloads are running. You can set the period after which CloudGuard deletes inactive images (by default, 7 days).

  • Container Registry Images - A container registry image is live (active) if at least one Kubernetes container corresponding to this image is running in your CloudGuard account. CloudGuard deletes inactive container registry images during the 24 hours (not immediately) after they were deleted from the registry. You cannot set the period for the deletion of these images.

  • ShiftLeft Images - CloudGuard considers a ShiftLeft image inactive if none of its corresponding workloads are running. You can set the period for the image deletion after the last scanning of this image (by default, 30 days).

You can set the lifetime for inactive Kubernetes and ShiftLeft images in the Workloads Settings.

On-Demand Image Scanning

In addition to the regular scans, you can schedule on-demand scanning of these:

  • Kubernetes environments and images

  • Container Registry environments and images

  • AWS environments and images

Inactive (non-running) images cannot be requested for scan:

  • If an environment is requested for scan, its inactive images are not considered.

  • If an image is requested for scan, the scanning process is not triggered.

Scanning Failed Images

This process starts the scanning of all images in an environment that are not in the Scanned status.

To start the image scan on demand:

  1. Navigate to Assets > Environments and select a cluster or a container registry.

  2. Click to open the environment page.

  3. Click Retry Failed Scans.

Scanning Individual Images

This process schedules an image for scanning regardless of its status.

To start the image scan on demand, do one of these:

  • On the image level:

    1. Navigate to Workload Protection > Containers Assets > Images and select an image.

    2. Click Request Scan.

  • Or on the environment level:

    1. Navigate to Assets > Environments and select a cluster or a container registry.

    2. Click to open the environment page.

    3. Open the Images tab.

    4. In the image row, see its Scan Status, then click the menu and select Request Scan.

For on-demand image scanning with API, see Workload Image Assurance in the API Reference Guide.

Limitations

  • Images used by short-lived pods may not be visible to Image Assurance.

  • The Request Scan usage is limited to 200 requests in an hour.

  • Requests for a scan of inactive images are not available.

  • On-demand scanning is not supported for ShiftLeft images and environments.