Scanner policies

Scanner policy determines the settings for scanning different types of resources.

When installing Kaspersky Container Security, a default scanner policy is created; it can be applied to all resources and executed in all environments. It is called the global scan policy (default). This policy is assigned global scope by default.

You can enable, disable, or configure global scanner policy settings if your role has been assigned the rights to manage scanner policies and view the global scope.

The following actions cannot be performed on a global scanner policy:

• Change the assigned global scope.
• Remove the global scanner policy.

The list of configured scanner policies is displayed as a table in the Policies → Scanner policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Enable or disable policies by using the Disabled / Enabled toggle button in the Status column of the table.
• Change policy settings. You can open the editing window by clicking the policy name link.

  You can also enable and disable policies in the edit window. Kaspersky Container Security does not use disabled policies when operating.

• Configure rules for detecting sensitive data. To do this, go to the Sensitive data tab.
• Delete policies.

Creating a scanner policy

Rights to manage scanner policy settings are required to add a scanner policy in Kaspersky Container Security.

To add a scanner policy:

1. In the Policies → Scanner policies section, click the Add policy button.

   The policy settings window opens.

2. Use the Disabled / Enabled toggle switch to disable the added policy, if necessary. In this case, it will be added but not applied until it is activated.

   By default, the status of a newly added scanner policy is Enabled.

3. Enter a policy name and, if required, policy description.
4. In the Scope field, select the scope for the scanner policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

5. In the Vulnerabilities section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure scanning using the National Vulnerability Registry (NVD) databases.
   • Use the Disabled / Enabled toggle switch to configure scanning using the Vulnerability Database (VDB).
6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image as part of the File Threat Protection component.
7. In the Misconfigurations section, use the Disabled / Enabled toggle switch to configure a scan for configuration errors.
8. Click Save.

Editing scanner policy settings

You can edit the scanner policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change scanner policy settings:

1. In the Policies → Scanner policies section, click the policy name link.

   The policy settings editing window opens.

2. If required, use the Disable / Enable toggle switch to change the policy status (enabled / disabled).
3. Make changes to the policy settings. The following settings are open for editing:
   • The policy's name, description, and scope.
   • Vulnerability control settings. Select the check boxes for the vulnerabilities database(s) to check images against.
   • Malware control settings. Select the check box if you need to scan images for malware and other file threats. This control is conducted by using the File Threat Protection component.
   • Misconfiguration control settings. Select the check box if you need to check images for misconfigurations. The control is conducted with the default settings configured by the Kaspersky Container Security manufacturer.
4. Click Save.

Page top

Configuration of sensitive data detection rules

The list of configured rules for detecting sensitive data (hereinafter referred to as Secrets) during image scanning is displayed in the Policies → Scanner policies → Sensitive data section.

The rules are grouped into categories depending on the purpose and scope of secrets to be detected. The list of categories is determined by the Kaspersky Container Security manufacturer. Categories contain predefined rules.

You can use the list to do the following:

• View and change the settings for secrets detection rules. You can open the editing window by clicking the rule ID link.
• Add new rules to the selected category. Click the Add rule button located above the table to open the integration settings window. To add rules that do not belong to any of the preset categories, use the Other category.
• Delete rules. Check the box next to one or more rules in the list. The delete icon is then displayed.

To change the settings of sensitive data detection rules:

1. In the table, in the Policies → Scanner policies → Policies section, select the scanner policy.
2. In the Sensitive data section, select the necessary rules by selecting the check boxes in the rule lines.
3. Use the Disable / Enable toggle switch in the Status column in the table with the list of policy rules to enable or disable this policy component.

   Do not click the Save button.

   Kaspersky Container Security immediately applies the changes to the sensitive data settings and displays the corresponding notification. You can also refresh the page to see the settings change.