Review the Container Image Scan Findings within your Organization

Overview

As Security Champion or AppSec manager, you will be reviewing the top Applications and Projects with critical and high-severity container image security findings. You will want to drill down into them to review their summaries and findings, including their information and suggested remediations.

Getting it done

Review the top Application with the highest severity Container Image Security Findings

Beginning on the Mend Application Security Dashboard, ensure only the Containers engine is enabled.

1. Click the Dependencies and/or Code scan engines to disable them if they aren’t already.

By default, the Applications widget showing the Top 10 high-risk Applications by Total Findings is ranked by the total number of findings.

2. Click the “C” in the box on the Applications widget to rank by most critical severity findings.

If multiple applications are tied for the selected ranking order, they will be listed alphabetically.

3. Click the Application that has been sorted to the top with the most critical-risk findings. You will be redirected to that application's summary page.

The Application Summary screen contains some vulnerability-related information about your application, including the overall number of vulnerabilities distributed by severity as well as secrets:

4. Click Projects in the left pane or click the Projects widget in the Overview section to view the Projects associated with the Application.

Review the top Project within the Application with highest severity Security Findings

1. Click the “C” in the red box on the Projects table to rank by most critical-severity findings.

2. Click the Project that has been sorted to the top with the most high-risk findings. You will be redirected to that project's summary page.

3. Click Containers in the left pane to view the latest container image findings associated with the Project (1). By default, the findings will be sorted by Severity (2), but we encourage you to add filters (3), to sort the findings in a manner that suits your needs.

Filtering & Sorting options

While hovering with the mouse cursor over a column name, an options icon (3 lines) will appear:

Clicking on it will reveal a menu that will enable you to change the settings of that particular column.

Severity

On the Severity column menu, you can select the severity levels you wish to include in the findings table:

Fix Availability

Click the Fix Version column's options icon to filter by ‘Has Fix’ or ‘No Fix’:

EPSS Score

Click the EPSS Score column's options icon to filter by Exploitability Probability in the next 30 days*:

* The probability is displayed in decimal fractions in the filter while in the findings table, it is displayed in percentages.

Hide OS Findings

Checking this option will exclude operating-system findings from the findings table. This option is useful if you don’t update base image packages:

View by layer

Typically when it comes to container images, multiple layers might contain vulnerabilities.

For more accurate navigation within your Image scan results, you can filter and sort the results by layers, by toggling the View by layer option:

Once toggled, the findings will be rearranged by layer numbers, allowing you to expand each layer, to reveal its vulnerabilities:

Exporting the data

After you’ve filtered and sorted the findings, you can export them to CSV by clicking the Export to CSV button at the right edge of the screen:

Secrets

Secrets are any kind of sensitive or private data that permits authorized users to access your IT infrastructure. These include keys and credentials such as SSH keys and certificates, TLS keys, encryption keys, API keys, database credentials, and more.

Secrets should be kept strictly private as attackers can easily find and use them to access and control the assets they are meant to protect. Developers may leave hard-coded secrets in container images, especially during rapid development and deployment cycles, thereby putting your organization and infrastructure at risk.

Secrets detected during your Container Image scan will be displayed in a separate tab from the rest of the findings:

Packages

The Project scope will always show the latest image scan for the selected project.

Within the Project, click on the Packages tab to see a full package inventory of all detected packages in the image, their type, package version, compliance status, number of vulnerabilities by severity, and layer indication:

The Packages table groups the vulnerabilities by the packages they were detected in.

Any package in the table is displayed in a separate line, that can be clicked, to display the Package Details pane on the right and, among other things, review the package licenses:

Package Licenses

The Licenses screen allows you to perform 3 main actions:

1. Remove licenses (can be performed in bulk).

2. Revert manually performed license changes (can be performed in bulk).

3. Assign new licenses.

Note: License modifications will be saved between scans.
Deleted licenses will no longer appear, and any added custom licenses will be displayed.

Package Copyrights

Note: Copyrights for Linux packages are not supported.

Similarly to the Licenses screen, the Copyrights screen allows you to perform 3 main actions:

1. Remove copyrights (can be performed in bulk).

2. Revert manually performed copyright changes (can be performed in bulk).

3. Assign new copyrights.

Assign a new Copyright

To assign a new copyright, fill in the fields below in the Assign Copyright wizard:

1. Author (mandatory)

2. Copyright Text (mandatory)

3. Copyright Period (optional)

4. Organization (optional)

5. Assigned By (optional)

6. Click the Assign Copyright button when you are done.