Chapter 7. Container Image Scanning

7.1. Configuring Image Scanning

Red Hat CloudForms manages vulnerability scanning of container images. When an OpenShift provider is added, OpenShift images from the internal registry are discovered. To enable image scanning, perform the following configuration steps:

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes of the OpenShift providers on which to enable scanning.
  3. From the Policy pull-down menu, click Manage Policies.
  4. Select the OpenSCAP profile checkbox.
  5. Click Save.

This action will trigger a SmartState analysis, or scan, of all images referenced by the OpenShift provider. The initial scan may take several hours to complete, depending on the number and size of images. OpenShift limits the number of scanning pods. Only three images can be scanned simultaneously.

7.2. Scheduling A Recurring Scan

Software vulnerability databases are updated frequently. To apply these updates, a rescan is required. To schedule a recurring scan of container images:

schedule openscap scan
  1. From the settings menu, select Configuration.
  2. From SettingsZones in the left pane of the appliance, select Schedules.
  3. From the drop-down menu, click ConfigurationAdd a new Schedule.
  4. Type an arbitrary Name.
  5. Type an arbitrary Description.
  6. Ensure the Active checkbox is selected.
  7. In Action, select Container Image Analysis.
  8. In Filter, select All Container Images for Containers Provider, OpenShift.
  9. In Run, set the schedule as desired.
  10. Set the Time Zone, Starting Date, and Starting Time.
  11. Click Add.

7.3. Working with Images

7.3.1. Viewing Results

Image scanning results are displayed in each image summary page.

  1. Select ComputeContainersContainer Images.
  2. Click the desired image.

For an OpenSCAP HTML report, locate the Configuration section and select OpenSCAP HTML.

container configuration

For compliance and scanning history information, locate the Compliance section and note the Status field or select Available from the History field.

container scan history

7.3.2. Manual Scanning

SmartState analysis scanning may be initiated manually for images. From an image summary page, select ConfigurationPerform SmartState Analysis. Refreshing the image page will reflect the latest scan results and compliance history.

7.3.3. Evaluating Compliance

If the image scan policy has been updated since the last scan, compliance conditions may be re-evaluated. From an image summary page, select PolicyCheck Compliance of Last Known Configuration. Refreshing the image page will reflect the latest compliance history.

7.4. OpenSCAP Policy Profile

Red Hat CloudForms is pre-configured with a default scanning policy profile. This includes conditions to scan and identify compliance, as well as annotate compliance failure. SmartState analysis is performed when new images are added to OpenShift.

7.4.1. Customizing the Scanning Policy Profile

The default OpenSCAP policy profile cannot be edited. To customize scanning policy, copy the default profile as a starting point and edit.

  1. Navigate to ControlExplorer.
  2. Select Policy ProfilesAll Policy ProfilesOpenSCAP Profile.
  3. Select ConfigurationCopy this Policy Profile.

The copied profile can be edited as required. Be sure to assign the customized profile to the OpenShift provider.

7.5. Controlling OpenShift Pod Execution

Through the default policy profile, non-compliant images receive the control policy action Mark as Non-Compliant. This action annotates the image object (not to be confused with the imagestream object) with images.openshift.io/deny-execution=true. This annotation may be used to prevent nodes from running non-compliant images. Refer to OpenShift Image Policy documentation for configuration details.

7.6. Reference

More information about OpenSCAP, see visit the OpenSCAP web site.