OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history
×

Integrating with image vulnerability scanners

Red Hat Advanced Cluster Security for Kubernetes (RHACS) integrates with vulnerability scanners to enable you to import your container images and watch them for vulnerabilities.

Supported container image registries

Red Hat supports the following container image registries:

  • Amazon Elastic Container Registry (ECR)

  • Generic Docker registries (any generic Docker or Open Container Initiative-compliant image registries, for example, DockerHub, gcr.io, mcr.microsoft.com)

  • Google Container Registry

  • Google Artifact Registry

  • IBM Cloud Container Registry

  • JFrog Artifactory

  • Microsoft Azure Container Registry (ACR)

  • Red Hat Quay

  • Red Hat registry (registry.redhat.io, registry.access.redhat.com)

  • Sonatype Nexus

This enhanced support gives you greater flexibility and choice in managing your container images in your preferred registry.

Supported Scanners

You can set up RHACS to obtain image vulnerability data from the following commercial container image vulnerability scanners:

Scanners included in RHACS

  • Scanner V4 (Technology Preview): Beginning with RHACS version 4.4, a new scanner is introduced that is built on ClairCore, which also powers the Clair scanner. Scanner V4 supports scanning of language and OS-specific image components. You do not have to create an integration to use this scanner, but you must enable it during or after installation. For version 4.4, if you enable this scanner, you must also enable the StackRox Scanner. For more information about Scanner V4, including links to the installation documentation, see About RHACS Scanner V4.

    Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

    For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

  • StackRox Scanner: This scanner is the default scanner in RHACS. It originates from a fork of the Clair v2 open source scanner. If you have Scanner V4 enabled, you must also enable this scanner to provide scanning of RHCOS nodes and platform vulnerabilities such as Red Hat OpenShift, Kubernetes, and Istio. Support for that functionality in Scanner V4 is planned for a future release.

Alternative scanners

  • Clair: As of version 4.4, you can enable Scanner V4 in RHACS to provide functionality provided by ClairCore, which also powers the Clair V4 scanner. However, you can configure Clair V4 as the scanner by configuring an integration.

  • Google Container Analysis

  • Red Hat Quay

The StackRox Scanner, in conjunction with Scanner V4 (optional), is the preferred image vulnerability scanner to use with RHACS. For more information about scanning container images with the StackRox Scanner and Scanner V4, see Scanning images.

If you use one of these alternative scanners in your DevOps workflow, you can use the RHACS portal to configure an integration with your vulnerability scanner. After the integration, the RHACS portal shows the image vulnerabilities and you can triage them easily.

If multiple scanners are configured, RHACS tries to use the non-StackRox/RHACS and Clair scanners. If those scanners fail, RHACS tries to use a configured Clair scanner. If that fails, RHACS tries to use Scanner V4, if configured. If Scanner V4 is not configured, RHACS tries to use the StackRox Scanner.

Integrating with Clair

Beginning with version 4.4, Clair scanning features are available in the new RHACS scanner, Scanner V4, and do not require a separate integration. The instructions in this section are only required if you are using the Clair V4 scanner.

Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Note the following guidance:

  • Starting with RHACS 3.74, Red Hat deprecated the previous CoreOS Clair integration in favor of Clair V4 integration. A separate integration was required to use the Clair V4 Scanner. Beginning with version 4.4, this integration is no longer required if you are using Scanner V4.

  • There is no planned support for the JWT-based authentication option for Clair V4 integration in the next RHACS 4.0 version.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Clair v4.

  3. Click New integration.

  4. Enter the details for the following fields:

    1. Integration name: The name of the integration.

    2. Endpoint: The address of the scanner.

  5. (Optional) If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).

  6. (Optional) Click Test to test that the integration with the selected registry is working.

  7. Click Save.

Integrating with Google Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR) for container analysis and vulnerability scanning.

Prerequisites

  • You must have a service account key for the Google Container Registry.

  • The associated service account has access to the registry. See Configuring access control for information about granting users and other projects access to GCR.

  • If you are using GCR Container Analysis, you have granted the following roles to the service account:

    • Container Analysis Notes Viewer

    • Container Analysis Occurrences Viewer

    • Storage Object Viewer

Procedure

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Google Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Scanner.

    3. Registry Endpoint: The address of the registry.

    4. Project: The Google Cloud project name.

    5. Service account key (JSON) Your service account key for authentication.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Integrating with Quay Container Registry to scan images

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry for scanning images.

Prerequisites

  • You must have an OAuth token for authentication with the Quay Container Registry to scan images.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Red Hat Quay.io.

  3. Click New integration.

  4. Enter the Integration name.

  5. Under Type, select Scanner. (If you are also integrating with the registry, select Scanner + Registry.) Enter information in the following fields:

    • Endpoint: Enter the address of the registry.

    • OAuth token: Enter the OAuth token that RHACS uses to authenticate by using the API.

    • Optional: Robot username: If you are configuring Scanner + Registry and are accessing the registry by using a Quay robot account, enter the user name in the format <namespace>+<accountname>.

    • Optional: Robot password: If you are configuring Scanner + Registry and are accessing the registry by using a Quay robot account, enter the password for the robot account user name.

  6. Optional: If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).

  7. Optional: To create the integration without testing, select Create integration without testing.

  8. Select Save.

If you are editing a Quay integration but do not want to update your credentials, verify that Update stored credentials is not selected.