Risk handling

Threats identified by Kaspersky Container Security (vulnerabilities, malware, sensitive data, and misconfigurations) are subject to the Risk acceptance procedure. If you accept the risk of a threat, it will not be considered by assurance policies when determining image security status (Compliant/Non-compliant with security policies) during the specified acceptance period. Image scanning continues to detect the threat, but does not label the image as Non-compliant.

If you accept the risk of a vulnerability detected in an image, this risk is accepted for the specific image registry. If the risk is accepted for all vulnerabilities in an image, the image is deemed compliant with security policy requirements and is given Compliant status.

If you change the settings of the assurance policy applied to images, the image security status also changes.

The risk from a threat is accepted for a period of 30 days by default. You can extend the period during which the risk is considered accepted. You can also cancel risk acceptance at any time. If you cancel risk acceptance, the associated threat will again affect the security status of the image.

You can view the list of all accepted risks in the Policies → Risk acceptance section.

Risk acceptance

You can accept the risks found by the solution taking into account the following:

• In case of vulnerabilities, configuration errors, and sensitive data, you can accept risks with all severity levels.
• In case of malware, you can accept risks only with the Medium, Low, and Negligible severity levels.

  You cannot accept risks with the High and Critical severity levels.

You can accept risk in the following sections:

• In the Image scan results window, risks associated with all threat types (vulnerabilities, malware, misconfigurations, and sensitive data) detected by scanning a specific image can be accepted.
• In the Investigation → Vulnerabilities section, risks are accepted for all vulnerabilities detected by the solution. Risks are accepted in relation to all artifacts detected during the scanning process, including CI/CD objects.

To accept risks, risk management rights are required.

To accept a risk based on image scan results:

1. In the image scan results window, open the tab with information about the required threat type.
2. In the table, select a threat and click the Accept button in the Risk acceptance column.
3. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • For the selected image with the detected risk;
     • For all images in the repository containing the image with the detected security threat;
     • For all images in which this security threat has been or will be detected.
   • Specify the period after which this security threat must be considered again when determining the image security status.
   • Specify the reason for risk acceptance.
4. Click the Accept button.

The selected threat does not affect the security status of this specific image, images in the repository, or all images for the defined number of days (or for an unlimited term).

An accepted risk can be viewed in the Policies → Risk acceptance section.

To accept the risk of a detected vulnerability:

1. Click the vulnerability record ID in one of the following sections:
   • On the Vulnerabilities tab in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. In the sidebar that opens, go to the Risk acceptance tab.

   The Risk acceptance tab is available if you have rights to view accepted risks.

3. Click the Add risk acceptance button.
4. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • for the selected artifact (image or CI/CD object)
     • for the repository containing the object with the detected vulnerability
     • for artifacts in which this vulnerability is currently detected
     • for all artifacts, including artifacts that the solution may find during subsequent scans.

     The risk is assumed regardless of the scope.

   • Specify a period from 1 to 999 days after which the risk acceptance for this vulnerability will be revoked. By default, the period is 30 days.
   • Specify the reason for risk acceptance.
5. Click the Add button.

The accepted risk for the vulnerability is displayed on the Risk acceptance tab. It can also be viewed in the Policies → Accepted risks section.

Viewing information about accepted risks

The list of all accepted risks is displayed in the Policies → Risk acceptances section.

You can use the list to do the following:

• Search by risk name, repository name, image, or resource where the risk is detected.
• Filter the list by risk type and manufacturer fix availability.
• Generate a Risk acceptance report by clicking the Create report button above the table.
• Sort the list by date of acceptance, risk name, scope (applied to all images or just one image), and acceptance period. Sorting is performed using the () sort icon.
• View detailed information about risk acceptance and the associated threat. Click the risk name link to open the window with the related detailed information.

Use the buttons in the detailed information window to do the following:

• Specify or extend the time period after which this security threat must be considered again when determining image security status.
• Cancel risk acceptance.

You can also view information about the accepted risk in the list of detected threats in the image scanning results. In the row with the threat with accepted risk, you can find the time of risk acceptance. You can click the link to open a window with detailed information about the risk acceptance and the associated threat.

Information about risk acceptance for a specific vulnerability is also indicated in the table with the list of all vulnerabilities detected by the solution in the Investigation → Vulnerabilities section. The Risk acceptance column displays the number of artifacts (images, CI/CD objects) for which the risk was accepted.

To view the accepted risks of a vulnerability, you need the "View accepted risks" rights.
Information about accepted risks is shown regardless of scopes.

More detailed information on each accepted risk for a specific vulnerability is provided in the detailed description of the vulnerability on the Risk acceptance tab.

Cancelling risk acceptance

To cancel risk acceptance:

1. In one of the following sections, open the table with the list of objects in which the risk was detected:
   • On the tab corresponding to the risk in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. Select a risk and click the Edit button in the Risk acceptance column.

   The Edit button is shown only for previously accepted risks.

3. Click the Revoke button and confirm your action in the window that opens.

You can also revoke risk acceptance for vulnerabilities from the window with detailed information about the vulnerability by clicking the icon on the Risk acceptance tab.

Canceling risk acceptance means that the associated threat will again affect the security status of the image(s) for which the risk was accepted.