Scanning images helps prevent CVEs from entering your cluster and helps harden your environment. ARMO Platform can also scan your image registries for vulnerabilities so your images have a smaller risk profile when you pull them into your environment.
Registry scanning is available in the Registry Scanning section.
You can filter CVEs by severity using the severity tiles at the top of the page. You can filter by severity by clicking on the tile. Click the tile again to clear the filter.
You can further filter CVEs by clicking +Add filter. We include a filter for fixable CVEs and for remote code execution (RCE) CVEs. You can also reorder the list of failed workloads by clicking the arrows in the table.
Click an image to view the CVEs that were identified on the image. By default, failed CVEs are ordered by severity. Click the name of the CVE for more information.
If a fix exists, the Fixable column has a Yes, and the Fix in version column has an entry. CVEs are frequently fixed when you upgrade the resource to a later version.
Accepting a risk isn't supported yet for registry scanning.
Registry scanning was tested on the following registries:
- Private GCR
- Official docker registry image
- Public quay.io registries
- Private quay.io registries owned by the user who owned the username/password of the access token auth_method
Registry scanning supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:
- ARMO's registry scanning will scan up to 500 image tags for a single registry.
- The depth is calculated by lexical order (last X tags. "latest" is always considered latest if exists).
- Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.
Updated about 1 month ago