×

With Red Hat Advanced Cluster Security for Kubernetes, you can analyze images for vulnerabilities using the RHACS scanners, or you can configure an integration to use another supported scanner.

The scanners in RHACS analyze each image layer to find packages and match them against known vulnerabilities by comparing them with a vulnerability database populated from different sources. Depending on the scanner used, sources include the National Vulnerability Database (NVD), the Open Source Vulnerabilities (OSV) database, and operating system vulnerability feeds.

The RHACS Scanner V4 uses the OSV database available at OSV.dev under this license.

RHACS contains two scanners: the StackRox Scanner and Scanner V4.

The StackRox Scanner originates from a fork of the Clair v2 open source scanner and is the default scanner. In version 4.4, RHACS introduced Scanner V4, built on ClairCore, which provides additional image scanning features.

This documentation uses the term "RHACS scanner" or "Scanner" to refer to the combined scanning capabilities provided by the two scanners: the StackRox Scanner and Scanner V4. When referring to the capabilities of a specific scanner, the name of the specific scanner is used.

When the RHACS scanner finds any vulnerabilities, it performs the following actions:

  • Shows them in the Vulnerability Management view for detailed analysis

  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment

  • Checks them against enabled security policies

The RHACS scanner inspects the images and identifies the installed components based on the files in the images. It might fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Components Files

Package managers

  • /etc/alpine-release

  • /etc/apt/sources.list

  • /etc/lsb-release

  • /etc/os-release or /usr/lib/os-release

  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release

  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.

  • dist-info or egg-info for Python.

  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/

  • dotnet/shared/Microsoft.NETCore.App/

About RHACS Scanner V4

RHACS provides its own scanner, or you can configure an integration to use RHACS with another vulnerability scanner.

Beginning with version 4.4, Scanner V4, built on ClairCore, provides scanning for language and operating system-specific image components. For version 4.4, RHACS also uses the StackRox Scanner to provide some scanning functionality until that functionality is implemented in a future release.

Scanning images

For version 4.4, RHACS provides two scanners: the StackRox Scanner and Scanner V4. Both scanners can examine images in secured clusters connected in your network. Secured cluster scanning is enabled by default in Red Hat OpenShift environments deployed by using the Operator or when delegated scanning is used. See "Accessing delegated image scanning" for more information.

Even if you have Scanner V4 enabled, at this time, the StackRox Scanner must still be enabled to provide scanning of RHCOS nodes and platform vulnerabilities such as Red Hat OpenShift, Kubernetes, and Istio. Support for that functionality in Scanner V4 is planned for a future release. Do not disable the StackRox Scanner.

When using the StackRox Scanner, RHACS performs the following actions:

  • Central submits image scanning requests to the StackRox Scanner.

  • Upon receiving these requests, the StackRox Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central

  • The StackRox Scanner identifies the vulnerabilities in the following areas:

    • Base image operating system

    • Packages that are installed by the package managers

    • Programming language specific dependencies

    • Programming runtimes and frameworks

When using Scanner V4, RHACS performs the following actions:

  • Central requests the Scanner V4 Indexer to download and index (analyze) given images.

  • Scanner V4 Indexer pulls image metadata from registries to determine the layers of the image, and downloads each previously unindexed layer.

  • Scanner V4 Indexer requests mapping files from Central that assist the indexing process. Scanner V4 Indexer produces in an index report.

  • Central requests that Scanner V4 Matcher match given images to known vulnerabilities. This process results in the final scan result: a vulnerability report. Scanner V4 Matcher requests the latest vulnerabilities from Central.

  • Scanner V4 Matcher requests the results of the image indexing, the index report, from Scanner V4 Indexer. It then uses the report to determine relevant vulnerabilities. This interaction occurs only when the image is indexed in the Central cluster. This interaction does not occur when Scanner V4 is matching vulnerabilities for images indexed in secured clusters.

  • The Indexer stores data in the Scanner V4 DB that is related to the indexing results to ensure that image layers are only downloaded and indexed once. This prevents unnecessary network traffic and other resource utilization.

  • When secured cluster scanning is enabled, Sensor requests Scanner V4 to index images. Scanner V4 Indexer requests mapping files from Sensor that assist the indexing process unless Central exists in the same namespace. In that case, Central is contacted instead.

Understanding and addressing common Scanner warning messages

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Table 1. Warning messages
Message Description

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

If you are using a Red Hat container image, consider using a base image newer than June 2020.

Supported package formats

Scanner can check for vulnerabilities in images that use the following package formats:

  • apt

  • apk

  • dpkg

  • rpm

Supported programming languages

Scanner can check for vulnerabilities in dependencies for the following programming languages:

  • Go (Scanner V4 only)

    • Binaries: The standard library version used to build the binary is analyzed. If the binaries are built with module support (go.mod), then the dependencies are also analyzed.

  • Java

    • JAR

    • WAR

    • EAR

  • JavaScript

    • Node.js

    • npm package.json

  • Python

    • egg and wheel formats

  • Ruby

    • gem

Supported runtimes and frameworks

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), the StackRox Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core

  • ASP.NET Core

These are not supported by Scanner V4.

Supported operating systems

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions. For more information about the vulnerability databases used, see "Vulnerability sources" in "RHACS Architecture".

Distribution Version

Alpine Linux

alpine:3.2[1],alpine:3.3, alpine:3.4, alpine:3.5, alpine:3.6, alpine:3.7, alpine:3.8, alpine:3.9, alpine:3.10, alpine:3.11, alpine:3.12, alpine:3.13, alpine:3.14, alpine:3.15, alpine:3.16, alpine:3.17, alpine:3.18, alpine:3.19, alpine:3.20, alpine:edge

Amazon Linux

amzn:2018.03, amzn:2, amzn:2023[2]

CentOS

centos:6[1], centos:7[1], centos:8[1]

Debian

debian:10, debian:11, debian:12, debian:unstable[1], distroless

Oracle Linux

ol:5[2], ol:6[2], ol:7[2], ol:8[2], ol:9[2]

Photon OS

photon:1.0[2], photon:2.0[2], photon:3.0[2]

Red Hat Enterprise Linux (RHEL)

rhel:6[3], rhel:7[3], rhel:8[3], rhel:9[3]

SUSE

sles:11[2], sles:12[2], sles:15[2], opensuse-leap:15.0[2], opensuse-leap:15.1[2]

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04,ubuntu:22.04, ubuntu:23.10, ubuntu:24.04

The following vulnerability sources are not updated by the vendor: ubuntu:12.04, ubuntu:12.10, ubuntu:13.04, ubuntu:14.10, ubuntu:15.04, ubuntu::15.10, ubuntu::16.10, ubuntu:17.04, ubuntu:17.10, ubuntu:18.10, ubuntu:19.04, ubuntu:19.10, ubuntu:20.10, ubuntu:21.04, ubuntu:21.10, ubuntu:22.10, ubuntu:23.04, debian:8[1], debian:9[1], debian:10[1]

  1. Only supported in the StackRox Scanner.

  2. Only supported in Scanner V4.

  3. Images older than June 2020 are not supported in Scanner V4.

  • Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

Redirecting image pulls from a source registry to a mirrored registry

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports scanning images from registry mirrors that you have configured by using one of the following OpenShift Container Platform custom resources (CRs):

  • ImageContentSourcePolicy (ICSP)

  • ImageDigestMirrorSet (IDMS)

  • ImageTagMirrorSet (ITMS)

For more information about how to configure image registry repository mirroring, see "Configuring image registry repository mirroring".

You can automatically scan images from registry mirrors by using delegated image scanning.

For more information about how to configure delegated image scanning, see "Scanning images by using secured clusters".

Accessing delegated image scanning

You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.

Enhancing image scanning by accessing delegated image scanning

Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.

For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.

The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.

Scanning images by using secured clusters

To scan images by using the secured clusters instead of the Central services, you can use the delegated image scanning feature.

A new delegated scanning configuration specifies the registries from which you can delegate image scans. For images that Sensor observes, you can use the delegated registry configuration to delegate scans from no registries, all registries, or specific registries.

To enable delegation of scans by using the roxctl CLI, Jenkins plugin, or API, you must also specify a destination cluster and source registry.

Prerequisites
  • You have installed Scanner in the secured cluster to scan images.

    Enabling Scanner is supported on OpenShift Container Platform and Kubernetes secured clusters.

Procedure
  1. In the RHACS portal, click Platform Configuration → Clusters.

  2. In the Clusters view header, click Delegated scanning.

  3. In the Delegated Image Scanning page, provide the following information:

    • Delegate scanning for: To choose the scope of the image delegation, select one of the following options:

      • None: The default option. This option specifies that the secured clusters do not scan any images, except for images from the integrated OpenShift image registry.

      • All registries: This option indicates that the secured clusters scan all the images.

      • Specified registries: This option specifies the images that secured clusters should scan based on the registries list.

    • Select default cluster to delegate to: From the drop-down list, select the name of the default cluster. The default cluster processes the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None if required.

    • Optional: To specify the source registry and destination cluster details, click Add registry.

      For example, specify the source registry as example.com, and select remote from the drop-down list for the destination cluster. You can add more than one source registry and destination cluster if required.

      You can select the destination cluster as None if the scan requests are not coming from the CLI and API.

  4. Click Save.

Image integrations are now synchronized between Central and Sensor, and Sensor captures pull secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.

Installing and configuring Scanner-slim on secured clusters

Using the Operator

RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

Using Helm

Secured Cluster Services Helm chart (secured-cluster-services) installs a Scanner-slim version on each secured cluster. In Kubernetes, the secured cluster services include Scanner-slim as an optional component. On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

Verifying after installation

Procedure
  • Verify that the status of the secured cluster indicates that Scanner is present and healthy:

    1. In the RHACS portal, go to Platform Configuration → Clusters.

    2. In the Clusters view, select a cluster to view its details.

    3. In the Health Status card, ensure that Scanner is present and is marked as Healthy.

Using image scanning

You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl CLI, Jenkins, and API.

For more information about how to scan images by using the roxctl CLI, see Image scanning by using the roxctl CLI.

Setting up scanning

You can configure settings for scanning, such as automatic scanning of active and inactive images.

Automatic scanning of active images

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure
  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Click Manage watched images.

  3. In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest.

  4. Click Add image to watch list.

  5. Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.

    In the RHACS portal, click Platform ConfigurationSystem Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  6. Click Close to return to the Workload CVEs page.

About vulnerabilities

RHACS fetches vulnerability definitions and updates from multiple vulnerability feeds. These feeds are both general in nature, such as NVD, or distribution-specific, such as Alpine, Debian, and Ubuntu. For more information on viewing and addressing vulnerabilities that are found, see Vulnerability management.

Fetching vulnerability definitions

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources, and it refreshes every 3 hours.

  • The address of the feed is https://definitions.stackrox.io.

  • You can change the default query frequency for Central and the StackRox Scanner by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable:

    $ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
    1 If you use Kubernetes, enter kubectl instead of oc.

Note the following guidance:

  • The StackRox Scanner’s configuration map still has an updater.interval parameter for configuring the scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

  • Setting this environment variable is not supported for Scanner V4.

For more information about the vulnerability sources that RHACS uses, see "Vulnerability sources" in "Red Hat Advanced Cluster Security for Kubernetes architecture".

Additional resources

Understanding vulnerability scores in the dashboard

The vulnerability management dashboard in the Red Hat Advanced Cluster Security for Kubernetes portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. RHACS shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, RHACS shows the score and lists v3 along with it. For example, 6.5 (v3).

    CVSS v3 scores are only available if you are using the StackRox Scanner version 1.3.5 and later or Scanner V4.

  • If a CVSS v3 score is not available, RHACS might show only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a vulnerability, the response might include both CVSS v3 and CVSS v2 information.

For a Red Hat Security Advisory (RHSA), the CVSS score is set to the highest CVSS score among all the related CVEs. One RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.

Disabling language-specific vulnerability scanning

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure
  • To disable language-specific vulnerability scanning, run the following command:

    $ oc -n stackrox set env deploy/scanner \ (1)
      ROX_LANGUAGE_VULNS=false (2)
    
    1 If you use Kubernetes, enter kubectl instead of oc.
    2 If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Additional resources