Chapter 7. Container Image Scanning

7.1. Configuring Image Scanning

Red Hat CloudForms manages vulnerability scanning of container images. When an OpenShift provider is added, OpenShift images from the internal registry are discovered. To enable image scanning, perform the following configuration steps:

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes of the OpenShift providers on which to enable scanning.
  3. From the Policy pull-down menu, click Manage Policies.
  4. Select the OpenSCAP profile checkbox.
  5. Click Save.

This action will trigger a SmartState analysis, or scan, of all images referenced by the OpenShift provider. The initial scan may take several hours to complete, depending on the number and size of images. The scan occurs in the OpenShift provider, which CloudForms receives and records in the database. OpenShift limits the number of scanning pods; only three images can be scanned simultaneously.

7.2. Scheduling A Recurring Scan

Software vulnerability databases are updated frequently. To apply these updates, a rescan is required. To schedule a recurring scan of container images:

schedule openscap scan
  1. From the settings menu, select Configuration.
  2. From SettingsZones in the left pane of the appliance, select Schedules.
  3. From the drop-down menu, click ConfigurationAdd a new Schedule.
  4. Type an arbitrary Name.
  5. Type an arbitrary Description.
  6. Ensure the Active checkbox is selected.
  7. In Action, select Container Image Analysis.
  8. In Filter, select All Container Images for Containers Provider, OpenShift.
  9. In Run, set the schedule as desired.
  10. Set the Time Zone, Starting Date, and Starting Time.
  11. Click Add.

7.3. Working with Images

7.3.1. Viewing Results

Image scanning results are displayed in each image summary page.

  1. Select ComputeContainersContainer Images.
  2. Click the desired image.

For an OpenSCAP HTML report, locate the Configuration section and select OpenSCAP HTML.

container configuration

For compliance and scanning history information, locate the Compliance section and note the Status field or select Available from the History field.

container scan history

7.3.2. Manual Scanning

SmartState analysis scanning may be initiated manually for images. From an image summary page, select ConfigurationPerform SmartState Analysis. Refreshing the image page will reflect the latest scan results and compliance history.

7.3.3. Evaluating Compliance

If the image scan policy has been updated since the last scan, compliance conditions may be re-evaluated. From an image summary page, select PolicyCheck Compliance of Last Known Configuration. Refreshing the image page will reflect the latest compliance history.

7.3.4. Generating a Report on Images

You can output the results of an OpenSCAP scan of images to a report for an overview of the security risk level of images. The Images by Failed OpenSCAP Rule Results is included with CloudForms and shows whether the image has passed or failed OpenSCAP policy criteria, and the security risk.

Note

You can also create a copy of this report and edit it to contain additional information, such as the project name where the image is used, to produce more useful results. See Editing a Report and See Reportable Fields in Red Hat CloudForms in Monitoring, Alerts, and Reporting for instructions on customizing reports.

To create a report showing image compliance:

  1. Navigate to Cloud IntelligenceReports.
  2. Click the ReportsAll Reports accordion.
  3. Navigate to Configuration ManagementContainersImages by Failed OpenSCAP Rule Results for a report showing which images have failed the OpenSCAP compliance.
  4. Click play arrow Queue.

  5. The report generation is placed in the queue and its status shows in the reports page.

    failedimagescan

  6. Click reload (Reload current display) to update the status.
  7. Navigate to the Saved Reports accordion, and click the report when it is completed.

  8. Click on the report download buttons for the type of export you want.

    • Click textImage (Download this report in text format) to download as text.
    • Click textImage (Download this report in csv format) to download as a comma-separated file.
    • Click 2134 (Download this report in PDF format) to download as PDF.
    • The report is automatically named with the type of report and date.

7.4. OpenSCAP Policy Profile

Red Hat CloudForms is pre-configured with a default scanning policy profile. This includes conditions to scan and identify compliance, as well as annotate compliance failure. SmartState analysis is performed when new images are added to OpenShift.

7.4.1. Customizing the Scanning Policy Profile

The default OpenSCAP policy profile cannot be edited. To customize scanning policy, copy the default profile as a starting point and edit.

  1. Navigate to ControlExplorer.
  2. Select Policy ProfilesAll Policy ProfilesOpenSCAP Profile.
  3. Select ConfigurationCopy this Policy Profile.

The copied profile can be edited as required. Be sure to assign the customized profile to the OpenShift provider.

7.5. Controlling OpenShift Pod Execution

Through the default policy profile, non-compliant images receive the control policy action Mark as Non-Compliant. This action annotates the image object (not to be confused with the imagestream object) with images.openshift.io/deny-execution=true. This annotation may be used to prevent nodes from running non-compliant images. Refer to the OpenShift Container Platform Image Policy documentation for configuration details.

7.6. Reference

More information about OpenSCAP, see visit the OpenSCAP web site.