Image Assurance

CloudGuard Image Assurance analyzes container images for vulnerabilities at each stage of their life cycle to make sure they meet your organizational policies.

The Image Assurance agents continuously check Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters and registries to scan the discovered container images. If an agent identifies an unknown image, it scans and analyzes the image for vulnerabilities, exploits, malware, viruses, trojans, credential leakage, and other malicious threats. In the Kubernetes clusters, only images of the running workloads are scanned.

CloudGuard Workload Protection - Image Assurance

Before you can see Vulnerabilities, you must onboard your Kubernetes cluster or AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account to CloudGuard. See Onboarding Kubernetes Clusters and Onboarding AWS Environments.

How Image Assurance Works

What to scan	How to scan	Prerequisites
Kubernetes clusters	Deploy Image Assurance on the Kubernetes cluster	Onboard a Kubernetes cluster
Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. registry	Deploy Image Assurance on a hosting Kubernetes cluster	Onboard a Kubernetes cluster
	Use a CloudFormation Template to deploy the ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner resources on your AWS account	Onboard an AWS account
AWS ECS tasks container images	Deploy Image Assurance on a hosting Kubernetes node and scan the ECR that hosts container images used in the applicable ECS cluster	Onboard a Kubernetes cluster Onboard the related ECR
AWS ECS tasks container images	Use a CloudFormation Template to deploy the ECS scanner resources on your AWS account and scan the ECR that hosts container images used in the applicable ECS cluster	Onboard an AWS account Onboard the related ECR

Resources

Image Assurance scanner uses these resources:

ImageScan List - A single-replica Deployment that sends CloudGuard container image lists. The lists are collected from the image-scan-daemon pods and from the connected Container registries.
ImageScan Engine - A single-replica Deployment that analyzes and scans container images. The agent sends CloudGuard the necessary information to complete the scan. For more information about the agent's version, see Agent Version Life Cycle.
ImageScan Daemon (for Kubernetes images only) - A DaemonSet that provides a list of local images (on each node) and the content of the requested images.

CPU

When the ImageScan Engine pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. scans images, it can consume more than one CPU. In a stable state, when only new images are scanned most of the time, the Engine pod consumes a very low CPU.

Reduction of the values of the requests and limits for CPU can have an opposite effect on the scan time.

Supported Packages

Image Assurance and the CI/CD tool support these types of packages:

Distro package managers (Alpine, Debian, Ubuntu, RHEL, and CentOS)
.Net languages (C#, C++, F#, VB)
Node.js packages
Python packages (requirments.txt)
Ruby gems
Java artifacts (JAR files)
Go packages

Image Assurance on AWS Fargate

Because AWS Fargate is managed by AWS, it does not allow to install CloudGuard agents on its nodes. This means that Image Assurance cannot scan images on Fargate nodes.

To obtain this information, CloudGuard shares data from other scanners available on the same account and shows it for Fargate images with this note: "This image is hosted on Fargate node and cannot be scanned/rescanned from the node. Scan results depend on correlation with other scanners (Kubernetes and registry)". If no matching image scans are found for the image, its scan status is Pending Scan, until the image appears in an environment where it can be scanned.

To see the Fargate image status:

Navigate to Assets > Environments and select an environment that contains the Fargate image.
Go to the Images tab. A Fargate image has the above note in its details, and the option of Request Rescan (from menu) is not available for it.
See the image status in the Scan Status column.

Image Assurance on GKE Clusters

Image Assurance is supported on Google Kubernetes Engine (GKE) with Image Streaming. To be able to scan Kubernetes images in GKE clusters, you need the Image Assurance agent v2.30.0 and higher included in Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart v2.30.0 and higher.

Image Streaming is enabled by default in GKE Autopilot clusters. In GKE Standard clusters, you have to enable it explicitly to use Image Assurance.

GKE Supported Versions:

GKE version 1.28.9 and higher
GKE version 1.28.8 using nodes with images 1.28.8-gke.10950000 and higher