Use the Security scan integrated service to automatically check the images used in your pods before they are deployed. That way you can prevent deploying pods that contain known security vulnerabilities, based on the Common Vulnerabilities and Exposures (CVE) database. Read a more detailed overview.

Limitations 🔗︎

  • By default, the security scan integrated service uses a public installation of the Anchore engine, and updates its CVE database every 4 hours. If you want to have more frequent database updates, you have to use your own local or external Anchore installation.
  • Pods that are already running when the Security scan integrated service is activated are not scanned. You can manually start a scan for a specific image, but there is no automatic notification of its result. If you want to receive notifications, you have to use your own Anchore installation. Contact us for details.
  • To scan private image registries, you have to use your own Anchore installation. Contact us for details.
  • To avoid halting the cluster in case of a problem, the kubesystem and pipeline-system namespaces are not scanned.
  • The Anchore engine (or the Ingress that terminates incoming connections for the Anchore engine) must have a valid TLS certificate, otherwise the image scans will fail.

Configure security scan 🔗︎

  1. Navigate to Cluster Management, then the cluster you want to configure. A sidebar opens.

  2. In the sidebar, click Security scan.

  3. To use an existing external Anchore engine, select Use external Anchore engine and specify the URL and the secret used to access the engine.

  4. Select the security policy you want to use in the Settings > Policy field.

    • Allow all and warn bundle: This policy is the most permissive. One can deploy anything, but it receives feedback about all the deployed images.
    • Reject critical bundle: Reject images that contain vulnerabilities with Critical CVSS Severity Rating.
    • Reject high bundle: Reject images that contain vulnerabilities with High CVSS Severity Rating.
    • Block root bundle: Prevent deploying images that contain apps running with root privileges.
    • Deny all images: Reject every image, except the ones explicitly permitted by a whitelist.

  5. Specify which namespaces should be scanned. By default, the scanning policy applies to every namespace (except the kubesystem and pipeline-system namespaces that cannot be scanned).

    • To specify the list of namespaces to scan, select Webhook settings > Type > Include, and select the namespaces to scan from the Namespaces field.
    • To specify a list of namespaces to exclude from the scan, and scan every other namespace, select Webhook settings > Type > Exclude, and select the namespaces that should not be scanned from the Namespaces field.

  6. Click ACTIVATE or SAVE ALL CHANGES.

Scan an already running image 🔗︎

To run a security scan on an image that is already running in a pod:

  1. Click Security Scan Security Scan in the left sidebar menu.
  2. Select the cluster where the image is used from the Cluster field.
  3. Find the image you want to scan. Use the Search Search field to quickly find the image.
  4. Click Security Scan > Image scan to start the scan. Note that scanning the image can take several minutes, depending on the size of the image and the load of the scanning engine.
  5. Click the name of the image to display the results.

Display scan results of an image 🔗︎

To display the security status of an image:

  1. Click Security Scan Security Scan in the left sidebar menu.
  2. Select the cluster where the image is used from the Cluster field.
  3. Find the image you want to scan. Use the Search Search field to quickly find the image.
  4. Click the name of the image. The result of the security scan is displayed on the right.
  5. If the image contains security known vulnerabilities, click This image has vulnerabilities to display the detailed results.

Whitelist images 🔗︎

If you want to use a strict policy, and whitelist selected images (for example, use the BlockRoot policy, but permit the admission of an image even though it uses root privileges), you must create a custom resource and submit it to Kubernetes. For details, see the Whitelist images.