Unable to Scan Image in Prisma Cloud with Error "failed to augment data: cannot perform image scanning for container that ran chroot to another folder"

• Unable to Scan Image in Prisma Cloud with Error "failed to augment data: cannot perform image scanning for container that ran chroot to another folder"

• Prisma Cloud
• CRI-O/containerd environments

• This chroot issue occurs as this specific container mounts the host filesystem root (see below) and perform chroot (changed the root of its filesystem).

{
"Source": "/",
"Destination": "/rootfs",
"Shared": false,
"Readonly": false
}

• In such cases, there is no way to to scan the actual image filesystem, as it basically appears as it is running directly on the host.
• This error message is due to a limitation in the CRI-O image scanning by design.
• In CRI-O/containerd environments, images of running containers are scanned by looking up the container root via /proc/<container pid>/root.
• In chrooted containers, /proc/<container pid>/root doesn’t point to the original root of the image, so the scan would be partial/incorrect.
• Instead of proceeding with incorrect data, the Defender issues this Error Message.
• In order to get accurate visibility into vulnerabilities that exist for this image, registry scanning would provide accurate results.

• To scan such containers, there is an existing Feature Request, TP-I-1044. Please check in with your Customer Success Manager or Solutions Architect for an update. 

• For Docker there is no such limitation as Docker and CRI-O Image Scanning Implementation work differently.