Chapter 7. Container Image Scanning
7.1. Configuring Image Scanning
Red Hat CloudForms manages vulnerability scanning of container images. When an OpenShift provider is added, OpenShift images from the internal registry are discovered. To enable image scanning, perform the following configuration steps:
- Navigate to Compute → Containers → Providers.
- Select the checkboxes of the OpenShift providers on which to enable scanning.
- From the Policy pull-down menu, click Manage Policies.
- Select the OpenSCAP profile checkbox.
- Click Save.
This action will trigger a SmartState analysis, or scan, of all images referenced by the OpenShift provider. The initial scan may take several hours to complete, depending on the number and size of images. The scan occurs in the OpenShift provider, which CloudForms receives and records in the database. OpenShift limits the number of scanning pods; only three images can be scanned simultaneously.
7.2. Scheduling A Recurring Scan
Software vulnerability databases are updated frequently. To apply these updates, a rescan is required. To schedule a recurring scan of container images:
- Click (Configuration).
- From Settings → Zones in the left pane of the appliance, select Schedules.
- From the drop-down menu, click Configuration → Add a new Schedule.
- Type an arbitrary Name.
- Type an arbitrary Description.
- Ensure the Active checkbox is selected.
- In Action, select Container Image Analysis.
- In Filter, select All Container Images for Containers Provider, OpenShift.
- In Run, set the schedule as desired.
- Set the Time Zone, Starting Date, and Starting Time.
- Click Add.
7.3. Working with Images
7.3.1. Viewing Results
Image scanning results are displayed in each image summary page.
- Select Compute → Containers → Container Images.
- Click the desired image.
For an OpenSCAP HTML report, locate the Configuration section and select OpenSCAP HTML.
For compliance and scanning history information, locate the Compliance section and note the Status field or select Available from the History field.
7.3.2. Manual Scanning
SmartState analysis scanning may be initiated manually for images. From an image summary page, select Configuration → Perform SmartState Analysis. Refreshing the image page will reflect the latest scan results and compliance history.
7.3.3. Evaluating Compliance
If the image scan policy has been updated since the last scan, compliance conditions may be re-evaluated. From an image summary page, select Policy → Check Compliance of Last Known Configuration. Refreshing the image page will reflect the latest compliance history.
7.3.4. Generating a Report on Images
You can output the results of an OpenSCAP scan of images to a report for an overview of the security risk level of images. The Images by Failed OpenSCAP Rule Results is included with CloudForms and shows whether the image has passed or failed OpenSCAP policy criteria, and the security risk.
You can also create a copy of this report and edit it to contain additional information, such as the project name where the image is used, to produce more useful results. See Editing a Report and See Reportable Fields in Red Hat CloudForms in Monitoring, Alerts, and Reporting for instructions on customizing reports.
To create a report showing image compliance:
- Navigate to Overview → Reports.
- Click the Reports → All Reports accordion.
- Navigate to Configuration Management → Containers → Images by Failed OpenSCAP Rule Results for a report showing which images have failed the OpenSCAP compliance.
- Click Queue.
The report generation is placed in the queue and its status shows in the reports page.
- Click (Refresh this page) to update the status.
- Navigate to the Saved Reports accordion, and click the report when it is completed.
Click on the report download buttons for the type of export you want. The report is automatically named with the type of report and date.
- Click (Download this report in text format) to download as text.
- Click (Download this report in CSV format) to download as a comma-separated file.
- Click (Download this report in PDF format) to download as PDF.
7.4. OpenSCAP Policy Profile
Red Hat CloudForms is pre-configured with a default scanning policy profile. This includes conditions to scan and identify compliance, as well as annotate compliance failure. SmartState analysis is performed when new images are added to OpenShift.
7.4.1. Customizing the Scanning Policy Profile
The built-in OpenSCAP policy profile cannot be edited. You can, however, assign edited copies of its policies to a new policy profile. This will allow you to create a customized version of the built-in OpenSCAP policy profile.
To do so, you will first have to copy the policy you want to customize:
- Navigate to Control → Explorer.
- Click the Policies accordion, and select Container Image Compliance Policies, then click OpenSCAP.
- Click (Configuration), and an option to copy the policy should appear; for example, (Copy this Container Image Policy).
- Click OK to confirm.
The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policies accordion.
You can now edit the copied policy. After editing copied policies, you can add them to a new policy profile. For instructions on how to edit policies, create a new policy profile, and add policies to it, see the Policies and Profiles guide. Once you have a customized policy profile, you can assign it to a containers provider.
7.5. Controlling OpenShift Pod Execution
Through the default policy profile, non-compliant images receive the control policy action Mark as Non-Compliant. This action annotates the image object (not to be confused with the imagestream object) with images.openshift.io/deny-execution=true. This annotation may be used to prevent nodes from running non-compliant images. Refer to the OpenShift Container Platform Image Policy documentation for configuration details.
More information about OpenSCAP, see visit the OpenSCAP web site.