Container Scanning

The Container Scanner (Account > Service Subscriptions) detects missing security updates for the base OS of container images. The scanner uses static analysis to determine which patches are missing from the container image and does not interact with running containers. It can be run manually standalone for one-off scans or integrated into the CI/CD pipeline by running it by way of a shell script.

Supported Container Image Base Operating System

Information

Container scans are inserted based on a recurrence rule that you can configure by selecting Scan Settings > Settings from the navigation menu. Under the Scan Results tab find the Container Scanning heading and Scan recurrence option. This setting controls how often the results of the scans will display in Fortra VM. Any scans initiated during a CI/CD integration, or run manually, will send the results back to Fortra VM, but will not display on the Scan Activity page or Active View until the next iteration of this recurrence rule. Scan recurrence has no impact on how often you can run a container scan, only how often you can view the results in Fortra VM.

Fortra VM uses a combination of the image name and tag to track it from scan-to-scan in Active View. This allows tracking of remediation efforts for a particular container image between scans.

Service subscriptions for Container Scanning track the number of images scanned based on the image name. This means that you can change the tag portion of a container image for different release versions, and it will still only count as scanning a single container towards the service limits

In the Scan Activity page, a new icon for a container scan has been added to distinguish the scan from other types of scans. This icon is also used in the asset list page within the scan results.

Requirements

Accounts are required to have the Container Scanning service subscription to use the Container Scanner. The necessary site license created with this service subscription enables insertion of scan results. The site license for Container Scanning is located under System > Settings > Container Scanning Site License Key from the navigation menu. You will also need an internal RNA associated to the account. This internal RNA is not used for scanning, but it is necessary to insert results since Fortra VM needs to associate a scanner to the results.

Docker Host Requirements

The host running the Container Scanner

• Must be running a recent version of Docker
• Must be able to access docker.<lineup domain> and updates.<lineup domain>

  • Examples:

    docker.us.frontline.cloud
updates.us.frontline.cloud

Usage Examples

The scanner containers are ephemeral and require no activation other than supplying a valid site license in the scan command. The scanner will auto-home to the correct lineup based on the site license provided for the scan when sending back scan results. Scans generally take less than 30 seconds to complete.

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker.us.frontline.cloud/container-scanner scanner scan  -i oraclelinux:6 -l xx28370a-f488-2340-b53d-6c630a9fa43a

Scanner Updates

Clients will need to pull a new scanner image at a regular interval to get the latest checks and scanning engine updates. This can be done with a standard docker pull command and should be relatively quick for most updates. Before doing a pull you must be authenticated to the docker registry for the lineup. We recommend attempting to pull a new image once per day.

echo "<site license>" | docker login docker.<lineup domain> -u client --password-stdin

docker pull docker.<lineup domain>/container-scanner:latest

Example of how to update the scanner image:

echo "xx28370a-f488-2340-b53d-6c630a9fa43a" | docker login docker.us.frontline.cloud -u client --password-stdin

docker pull docker.us.frontline.cloud/container-scanner:latest