Skip to main content
Skip table of contents

Scanning Container Images

NOTE: This page is about the container solution in the legacy Core SCA Application. Users of the new Mend Platform should check out the Mend Container documentation.

Overview

The Mend Cloud Native Application offers visual insights into the overall security risk of the images in your organization. You can quickly identify vulnerable packages in an image down to the layer, gauge the impact of specific vulnerabilities, and see whether they have been resolved in newer versions.

Mend Tip: Want to learn more about our container image solutions? Check out:

How can I use the Mend Cloud Native Application?

Container images can be built in-house with code and packages, or they can be public images. In either case, it is good practice to monitor images for vulnerabilities that appear in its packages.

Vulnerabilities are common, they are a fact of life, and Mend gives you the tools to detect them and recommends ways to mitigate them. Scan your images layer by layer with the Unified CLI using the “image” keyword. Results are available in the Mend UI. This is what you can expect to see:

Beyond this overview of the images in your organization, you can slice the scan results according to image risk score as well as vulnerability distributions in and across images, layers and packages. Use this information to formulate a plan to deal with security risk.

If you work in DevOps, or even if you are a developer, you can manually scan a single image or add a scan step to your CI/CD pipeline to get reports automatically.

If you are the AppSec Manager in your organization, unleash the power of the Mend Platform to manage all of your container images in one place, with the analytical tools you need to spot and fix the riskiest images and spot trends in image versioning and reuse.

The concept of an Image risk score will not be shown when switching to the Mend Platform, due to the different way container image scans will be shown in the Platform.

You work in DevOps

Find your image in the Mend Cloud Native Application

  1. Make sure that the Cloud Native option has been enabled for each of your organizations. Speak to your Customer Service Manager for assistance.

  2. Both admin and regular user permissions have access to this feature.

  3. Open the Mend UI.

  4. Click the cube in the upper left corner and select the Cloud Native option.

  1. Click the Images tab at the top of the next screen, and find your image in the list:

  2. Details of the image are displayed in a window to the right. Expand this window leftward by clicking the double arrows.

View the Risks in an Image

This detailed view of your container image has the following information:

  1. Your image vitals, including:

    • Image ID (SHA)

    • OS Distribution

    • OS Release

    • First and Last (Latest) Scan Dates

    • Docker File

    • Repository

    • Scope (Application | Project)

  2. A top bar with an overall risk score from zero to ten, where 0 is no risk and 10 is the most possible risk. The overall risk score with the breakdown gives a good overview of the image. Also in the risk bar, is a breakdown of vulnerabilities found in the image according to the standard SCA scores where:

    • Critical is a score of 9-10

    • High is a score of 6-9

    • Medium is a score of 3-6

    • Low is a score of 0-3

  3. Five tabs beneath the risk bar provide more information:

The Vulnerabilities tab lists the CVE numbers of the vulnerabilities found in specific packages contained in the image, the EPSS score and CVSS score assigned to each CVE, as well as the layer in which the package was found. Most helpful is which newer version of the package should be used in place of the current one in order to resolve the vulnerability:

The CVSS Scores shown in the UI and the CLI can be represented by two types of CVSS scores, the vendor CVSS score, which takes into account the context introduced by the Linux distribution vendor, and the NVD CVSS score.

When applicable, a vendor CVSS score will be shown first in the results.

Example vendor advisories:
Alpine: https://security.alpinelinux.org/

RedHat: https://access.redhat.com/security/

Ubuntu: https://ubuntu.com/security/cves

For vendors who don’t apply a specific score, but a severity level, we provide a mid-range score as follows: Low severity → 1.5, Medium severity → 5.5, High Severity → 7.5, Critical severity → 9.5


In cases where the vendor score is not applicable, we will use the NVD CVSS score, as a second option.

ℹ️ Notice that, due to the operating system context that is introduced in container images, CVSS scores can differ between vendor scores and NVD.

The Layers tab lists all of the layers in your image. If vulnerabilities are identified, the risk breakdown is displayed for each layer. Click a layer to see the specific CVE vulnerabilities in that layer.

Package Data shows the same information organized by image package. For each image package its version, the layer it is located and risk score distribution is listed.

Tip: The information presented in each of the tabs can be exported to a CSV file.

Container Secrets. For more information on this feature, read more here: Identify your container image secrets with the Mend CLI scan.

Policy Violations. For more information on this feature, read more here: Use the Mend CLI Container Image policy check for build control

You are your Organization’s AppSec Manager

Your organization uses many container images to build apps. Some images are built from your own code and assembled in your pipelines. Others may be added in from external resources.

Your task is to manage the risk for your organization by assembling a complete picture of the organization’s risk posture zeroing in on those images and packages that contain the most risk and moving quickly to correct them.

View the Status of Your Organization’s Images

Your DevOps scan the images regularly, and you already know how to view the results in the Cloud Native section of the Mend UI.

The Overview tab gives you an indication of the overall risk in your organization’s containers, with four sections summarizing your images and the vulnerabilities found with them.

Top 10 risky images lists those images with the highest overall risk score (with zero the lowest and ten the highest). Click an image to be taken directly to the detailed image view.

Tip: The image listed in the top ten may not be the only one in your containers, and you should compare it with a more recent version if available to see how the risk may have been reduced with it.

Top 10 most affecting vulnerabilities lists the top ten vulnerabilities that have become prevalent in your containers. A widespread vulnerability should be addressed quickly.

Vulnerabilities by severity shows the breakdown by risk score of the vulnerabilities that have been found. There is no absolute measure of how many vulnerabilities of each type is allowable, so this may be most useful for monitoring trends.

Image by risk score shows a breakdown of the total risk scores for your images.

Filtering the Results

Seeing the top ten risky images and the top ten most common vulnerabilities already focuses you on the items that need immediate attention. As you work through them, you will want to drill down into specific images and vulnerabilities, and filtering options will help you do just that.

Filter Images

Click View All in the top ten risky images column of the Overview tab, or click the Images tab at the top of the screen.

Use the Filters column to the right to filter the images by:

  • Registry (list of all registries found in the image)

  • Repository (name of an image regardless of version)

  • Image tag

  • Image risk score (ranges corresponding to Low, Medium, High, and Critical)

Filter Images By Risk Score

The concept of an Image risk score will not be shown when switching to the Mend Platform, due to the different way container image scans will be shown in the Platform.

The pie chart of this name on the Overview tab shows the distribution of vulnerabilities in all of

Click any risk score severity to jump to the detailed view of all images with overall risk scores in the range that was clicked.

Click an image repository to view the images and their versions. Click a single image to its details with overall score, vulnerability severity distribution, vulnerabilities, layers and package data.

The information presented in each of these views can be exported to a CSV file.

Filter Images by Scope

Similar to our SCA UI, in the Images tab, our Cloud Native UI allows you to filter your image inventory by application (comparable to “product” in the SCA UI) or project.

All users can only see Applications and Project that are accessible to them according to their user permission access groups.

Filter Vulnerabilities

Click View All in the top ten affecting vulnerabilities column of the Overview tab, or click the Vulnerabilities tab at the top of the screen. This allows you to find all instances of a specific vulnerability throughout your images.

Tip: When viewing the images affected by a vulnerability, click on any image to jump to a detailed image view with its risk summary and list of vulnerabilities.

Use the Filters column to the right to filter the vulnerabilities by:

  • Vulnerability ID (CVE number)

  • Image Name

  • Image Tag

  • Severity (Unknown, Low, Medium, High and Critical)

  • EPSS Score

  • Fix Availability

  • Discovery Time

Filter Vulnerabilities By Severity

The pie chart of this name on the Overview tab shows the distribution of vulnerabilities in all of your organization’s images. The information given is an aggregate for the organization grouping vulnerabilities by their risk score, providing an overall picture of the organization’s risk posture.

Click on any severity level to jump to the detailed view of vulnerabilities with the severity filter set to the range that was clicked.

Click on any CVE number to view all of the images with this vulnerability, the package in which the vulnerability exists, and whether or not a fix for it is available.

Scopes for scanned images

Similar to our SCA UI, the Cloud Native UI also supports the scoping of scanned container images at the product (now referred to as application) and project levels for:

Visit each product documentation link above to learn more on how to configure scopes with your Mend for Container Image scans.

Note:

  • Only organization administrators can set image scopes.

  • Both Admin and regular user roles can access the Cloud Native UI. Regular users are allowed to watch only the Images page, which will be filtered according to their user permissions only.

  • Our Container Image scans will create empty projects within the Mend SCA UI. This is to allow organization administrators to create application (called a product in the Mend SCA UI) and project-scoped policies for Container Image scans.

  • Deleting these empty products or projects within the Mend SCA UI will delete the inventory of any scanned images under them within the Cloud Native UI. Therefore, it is recommended to confirm with your organization administrator on the source of your products and projects within the Mend SCA UI before editing them.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close