Does the Defender Scan and Report Vulnerabilities for Images with running Containers to the Prisma Cloud Console?
14080
Created On 05/19/22 04:31 AM - Last Modified 05/23/22 04:26 AM
Question
- Does the Defender Scan and Report Vulnerabilities for Images with running Containers to the Prisma Cloud Console?
Environment
- Prisma Cloud
Answer
- In Prisma Cloud Compute Console, Go to Manage > System > Scan.
- Option 'Only scan images with running Containers' can be toggled to suite your requirement.
- With this option enabled, Prisma Cloud optimises resource usage by only scanning Images with Running Containers.
- To scan and get the CVE report of all Images, disable this option.
- However, if you only wish to scan and get the report of Images that have a running container or containers, enable this option.
Note:
- This option does NOT apply to registry scanning; all images targeted by your registry scanning rule will be scanned regardless of how 'Only scan images with running containers' is set.
- If you suspect that a particular Image is not being scanned by Prisma Cloud Defender, check whether this option is enabled while there is no running Container from that image.
Example
- Let us consider the following Example.
- 'Only scan images with running containers' is Disabled and this configuration is Saved.
- A Manual Scan is initiated and after completion, the page is Refreshed.
- Once refreshed, we see scan results of all images (with and without running containers).
- Clicking on one of the Images with no running Containers confirms our findings.
- Going to Monitor > Vulnerabilities > Vulnerability Explorer, we click on one of the CVEs (CVE-2021-38297 in this example) to get a list of Images affected by this CVE.
- As observed, both images with and without running containers are shown.
- Next, we enable 'Only scan images with running containers' and Save this configuration.
- After another Manual Scan and Refresh, only Scan results of Images with Running Containers is reported.
- This can be confirmed in one of the Image Details that has Running Containers.
- Now, the same CVE-2021-38297 only reports all Images with Running Containers.
Additional Information
Kubernetes Environment
- Whenever an image is deployed, if the image does not already exist on the assigned node, it is downloaded (pulled) to that node.
- When the deployment (i.e., pod) is removed from the node, the image is not deleted from the node, but remains cached on the node’s disk.
- Storing the image cached on disk saves the time and need to download the image upon every redeployment.
- However, the deletion of unused images is controlled by kubelet (Kubernetes' worker process, that runs on each node), referred to as 'Garbage collection of unused containers and images : Garbage Collection.
- In such a scenario, if you are seeing Image Scan results (and Vulnerabilities) for unused images, it is because 'Only scan images with running containers' is disabled.
- With this, keep in mind that using external garbage collection tools should be avoided as these can break the kubelet behaviour and remove containers that should exist.
- By default, Prisma Cloud automatically scans images for vulnerabilities every 24 hours.
- The scan frequency is configurable by going to Manage > System > Scan in the Compute section as shown below:
For more information, refer the following: