Registry Scanning

Scanning images helps prevent CVEs from entering your cluster and helps harden your environment. ARMO Platform can also scan your image registries for vulnerabilities so your images have a smaller risk profile when you pull them into your environment.

Registry scanning is available in the Registry Scanning section.

Filter CVEs

You can filter CVEs by severity using the severity tiles at the top of the page. You can filter by severity by clicking on the tile. Click the tile again to clear the filter.

You can further filter CVEs by clicking +Add filter. We include a filter for fixable CVEs and for remote code execution (RCE) CVEs. You can also reorder the list of failed workloads by clicking the arrows in the table.

View failed images

Click an image to view the CVEs that were identified on the image. By default, failed CVEs are ordered by severity. Click the name of the CVE for more information.

If a fix exists, the Fixable column has a Yes, and the Fix in version column has an entry. CVEs are frequently fixed when you upgrade the resource to a later version.

Accepting a Risk

Accepting a risk isn't supported yet for registry scanning.

Tested on

Registry scanning was tested on the following registries:

Harbor
Private GCR
ECR
Official docker registry image
Public quay.io registries
Private quay.io registries owned by the user who owned the username/password of the access token auth_method

Walkthrough: How to grant permissions for my ECR/GCR Image registry?

Registry scanning supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:

🦉

Setup AWS IAM authorization of in-cluster installation of Kubescape in EKS

Open Recipe

🦉

Setup GCP IAM authorization for in-cluster installation of Kubescape in GKE

Open Recipe

Known limitations

ARMO's registry scanning will scan up to 500 image tags for a single registry.
The depth is calculated by lexical order (last X tags. "latest" is always considered latest if exists).
Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.