Vulnerability Policies (Image Assurance)
On CloudGuard, findings are created when objects violate GSL rules, as a result of the assessment process as explained in Image Assurance Assessment.
A ruleset is a list of rules that defines what is considered a violation. A ruleset corresponds to a specific Kubernetes
Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster or an Organization Unit with the use of a Policy configuration.
In addition, Policy Configuration includes the notifications sent when findings are created.
On Image Assurance, everything is configured automatically, so the assessment process is invoked automatically when needed. No user action is required. When you onboard a new cluster to CloudGuard (or enable the Image Assurance feature) and associate it with an Organizational Unit, the cluster obtains the Image Assurance policy configured for this Organizational Unit. If no such policy exists, a new policy is created to associate the new cluster with the default ruleset.
You can assign a new policy or edit an existing one as explained in this section.
Image Assurance policy apples to Kubernetes image assurance, container registries, ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. images and ShiftLeft The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. image scans.
Image Assurance Default Policy Configuration
|
|
Note - This section provides all the details of the default Image Assurance configuration. No user action is required. |
Image Assurance Managed Ruleset
A managed ruleset is a list of rules that CloudGuard creates automatically for each account. These rules represent CloudGuard security recommendations.
You cannot adjust a managed ruleset. As an alternative, duplicate it and use the edited version of this ruleset, as explained below.
To examine the Image Assurance managed ruleset:
-
Navigate to Workload Protection > Vulnerabilities > Rulesets.
-
Find a ruleset named Container Image Assurance. For this, filter rulesets by CloudGuard-Managed Type.
-
Click the Container Image Assurance, Container Image Assurance 1.0, or Workload Vulnerability Default 2.0 ruleset to see the default rules.
Image Assurance Default Policy
The policy allows you to associate a ruleset with a specific Kubernetes cluster, ShiftLeft environment, Container Registry A collection of repositories used to store and access container images., or an Organization Unit. Additionally, it allows you to configure alerts and notifications on findings.
Without a related policy, CloudGuard cannot run assessments on image scan results and cannot create Image Assurance findings to alert on weaknesses and vulnerabilities found on vulnerable images.
CloudGuard creates an Image Assurance policy by default for each ShiftLeft environment, Container A lightweight and portable executable image that contains software and all of its dependencies.
Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry, and Kubernetes cluster with enabled Image Assurance. This happens if the environment is not associated with an Organizational Unit that already has an Image Assurance policy.
To examine the Image Assurance default policy:
-
Navigate to Workload Protection > Vulnerabilities > Policies.
-
Optionally, filter the view by the name of your environment.
-
Find your environment association and a link to the default notification.
Image Assurance Default Notification
A notification defines which actions CloudGuard must do when a violation of rules triggers the creation of findings.
The default notification configuration is the Alerts Console. It defines that the findings appear on the CloudGuard portal on Posture Findings or the Findings page of Vulnerabilities. Check Point recommends to have this option always selected.
To examine the default Image Assurance notification:
-
Navigate to Workload Protection > Vulnerabilities >Policies.
-
Click Default Image Assurance notification to review the configuration of Image Assurance findings.
To change the default Image Assurance policy or create a new policy, see Getting Started with Image Assurance Policy.
Image Assurance Assessment
During the Image Assurance Assessment process, CloudGuard analyzes image scan results and creates Image Assurance findings. The Image Assurance findings are created in this process for each violation of the Image Assurance rules.
CloudGuard runs the assessment process automatically when the image assurance agents identify an unknown image and scan it. The assessment process runs automatically when you change Image Assurance rulesets and policy, or when you make OU hierarchy changes that have an effect on the association between the Image Assurance policy and your environment. During these events, the assessment process runs on all images applicable to the affected environment.
To see the Image Assurance assessment history of your account, navigate to Workload Protection > Vulnerabilities > Assessment History.