Chapter 7. Container Image Scanning
7.1. Configuring Image Scanning
Red Hat CloudForms manages vulnerability scanning of container images. When an OpenShift provider is added, OpenShift images from the internal registry are discovered. To enable image scanning, perform the following configuration steps:
- Navigate to Compute → Containers → Providers.
- Select the checkboxes of the OpenShift providers on which to enable scanning.
- From the Policy pull-down menu, click Manage Policies.
- Select the OpenSCAP profile checkbox.
- Click Save.
This action will trigger a SmartState analysis, or scan, of all images referenced by the OpenShift provider. The initial scan may take several hours to complete, depending on the number and size of images. OpenShift limits the number of scanning pods. Only three images can be scanned simultaneously.
7.2. Scheduling A Recurring Scan
Software vulnerability databases are updated frequently. To apply these updates, a rescan is required. To schedule a recurring scan of container images:
- From the settings menu, select Configuration.
- From Settings → Zones in the left pane of the appliance, select Schedules.
- From the drop-down menu, click Configuration → Add a new Schedule.
- Type an arbitrary Name.
- Type an arbitrary Description.
- Ensure the Active checkbox is selected.
- In Action, select Container Image Analysis.
- In Filter, select All Container Images for Containers Provider, OpenShift.
- In Run, set the schedule as desired.
- Set the Time Zone, Starting Date, and Starting Time.
- Click Add.
7.3. Working with Images
7.3.1. Viewing Results
Image scanning results are displayed in each image summary page.
- Select Compute → Containers → Container Images.
- Click the desired image.
For an OpenSCAP HTML report, locate the Configuration section and select OpenSCAP HTML.
For compliance and scanning history information, locate the Compliance section and note the Status field or select Available from the History field.
7.3.2. Manual Scanning
SmartState analysis scanning may be initiated manually for images. From an image summary page, select Configuration → Perform SmartState Analysis. Refreshing the image page will reflect the latest scan results and compliance history.
7.3.3. Evaluating Compliance
If the image scan policy has been updated since the last scan, compliance conditions may be re-evaluated. From an image summary page, select Policy → Check Compliance of Last Known Configuration. Refreshing the image page will reflect the latest compliance history.
7.4. OpenSCAP Policy Profile
Red Hat CloudForms is pre-configured with a default scanning policy profile. This includes conditions to scan and identify compliance, as well as annotate compliance failure. SmartState analysis is performed when new images are added to OpenShift.
7.4.1. Customizing the Scanning Policy Profile
The default OpenSCAP policy profile cannot be edited. To customize scanning policy, copy the default profile as a starting point and edit.
- Navigate to Control → Explorer.
- Select Policy Profiles → All Policy Profiles → OpenSCAP Profile.
- Select Configuration → Copy this Policy Profile.
The copied profile can be edited as required. Be sure to assign the customized profile to the OpenShift provider.
7.5. Controlling OpenShift Pod Execution
Through the default policy profile, non-compliant images receive the control policy action Mark as Non-Compliant. This action annotates the image object (not to be confused with the imagestream object) with images.openshift.io/deny-execution=true. This annotation may be used to prevent nodes from running non-compliant images. Refer to OpenShift Image Policy documentation for configuration details.
More information about OpenSCAP, see visit the OpenSCAP web site.