This report allows you to easily identify the container images that are currently running in your cluster and the vulnerabilities they may expose. It provides a comprehensive view of any vulnerabilities that may have been introduced, regardless of how the image was added to your cluster. This includes images added through individual image registries, 3rd party helm charts, and any other sources, thereby minimizing blind spots.

📘

Note

This feature requires enablement of the CAST AI Security. Refer to the Getting started section to enable the Image Security feature.

What's inside

Image security report can be accessed from the top left corner of the page: Org security > Image security.

After opening the page, you will see a list of images an organization uses in its clusters and statistics related to the list.

To filter the images you want, you can use a filter located above the list. This filter can be applied based on the image location, such as cluster or namespace, or by resource labels. Once the filter is applied, the statistics view will be updated to reflect the statistics for the selected scope.

📘

Note

If all nodes are managed by the CAST AI cluster controller, there is no need for additional action to view a complete list of images running on your clusters. In other cases, you need to enable the Private images scanning functionality.

Image repositories list

The image repositories list is a list of images an organization uses in its clusters. The images are grouped into repositories based on their name. Each repository contains all the images that share the same name but have different tags and/or digests.

The view displays vulnerability details, the number of clusters and running resources where the image is found, and the tag of the latest scanned image.

Image details

To view a specific image, click on the repository name and select the image digest from the drop-down menu to navigate between different versions.

Under the selected image digest, you can find all associated tags, details, and status. There is an Image hierarchy section and two tabs below the digest: Vulnerabilities and Affected resources.

Image hierarchy

In the Image hierarchy section, you can see the base image used to create the image and the layers and commands used to build each layer. This information is helpful in identifying which layer introduced vulnerabilities and what steps can be taken to address them.

By default, all layers are selected. By selecting a particular layer, you can filter out any vulnerabilities or problematic packages that are specific to that layer.

It is possible that the Image hierarchy section may not include commands used to build a specific layer, depending on your build process. To fully utilize this feature, we recommend preserving image metadata during the image build process.

Vulnerabilities

The Vulnerabilities tab displays all detected image vulnerabilities and available fixes, sorted by CVSS score.

Packages

The Packages tab displays operating system and application-specific packages, providing information on identified vulnerabilities and available fixes.

Affected resources

The Affected Resources tab displays where the image is used and when the deployment using the image was first time created.

Exceptions

The Image Security Exceptions feature allows you to remove vulnerabilities and image repositories from the repository list.

Image repository exceptions

The Image Security Exceptions feature allows you to remove the image repositories from the list view.

1. Select the tickbox on the left of the image repository name. You can select multiple repositories at once.
2. Click on the newly appeared Except repository button.
3. Enter the reason for the exception in the newly appeared drawer and push the exception button.

You can exclude the repository through the Image details view.

1. Select Except repository button in the upper right corner of the screen.
2. Enter the reason for the exception in the newly appeared drawer and push the exception button.

When a repository is marked as an exception, it is moved to the Excepted view. This means that the repository will no longer appear in the image repository list, and the statistics section will be updated accordingly. In the Excepted repositories view, you will find an identical list of repositories, but it will only include the excepted ones.

The main difference between the Active and Excepted image views is that the Excepted image details contain two additional fields: REASON and EXCEPTION SET ON.

To remove exceptions, navigate to the Excepted repositories list, which can be found in the upper right corner of the screen. From the view:

1. Select the tickbox on the left of the image repository name. You can select multiple repositories at once.
2. Click on the newly appeared Cancel exception button.
3. Enter the reason for the exception in the newly appeared drawer and push the exception button.

You can cancel the repository exception from the Image details view.

1. Select the Cancel exception button in the upper right corner of the screen.
2. Review the list of selected images in the newly opened drawer and press the Cancel exception button.