Assurance policies
Assurance policy defines Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.
The configured assurance policies are displayed as a table in the Policies → Assurance policies section.
You can use the list to do the following:
- Add new policies. Click the Add policy button located above the table to open the policy settings window.
- Change policy settings. You can open the editing window by clicking the policy name link.
- Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.
- Delete policies.
If you add an assurance policy, modify its settings, or delete a policy, the compliance status is reviewed (Compliant / Non-compliant) for the images to which the policy is applied.
Creating an assurance policy
Rights to manage security policy settings are required to add a security policy in Kaspersky Container Security.
To add an assurance policy:
- In the Policies → Assurance policy section, click the Add policy button.
The policy settings window opens.
- Enter a policy name and, if required, policy description.
- In the Scope field, select the scope for the image security policy from the available options.
If you plan to implement the policy with the default scope, one of your user roles must be granted the rights to view default scopes.
- Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
- Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
- Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
- In the Vulnerability level section, configure the following settings:
- Use the Disabled / Enabled toggle switch to configure the scan based on the vulnerability severity level.
- Set the assigned severity level based on the vulnerability databases. You can select it from the Severity level drop-down list or specify a severity score from 0 to 10.
- Use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
- In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
- In the Misconfigurations section, configure the following settings:
- Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
- Select the misconfiguration severity level from the Severity level drop-down list.
The severity level is assigned based on the vulnerability databases.
- In the Sensitive data section, configure the following settings:
- Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
- Select the sensitive data severity level from the Severity level drop-down list.
The severity level is assigned based on the vulnerability databases.
- Click Save.
By default, the added policy is Enabled.
Page topEditing assurance policy settings
You can edit the image security policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.
To change assurance policy settings:
- In the Policies → Assurance policies section, click the policy name in the list of existing assurance policies.
The policy settings window opens.
- Make changes to the relevant policy settings:
- The policy's name, description, and scope.
- Actions of the solution in accordance with this policy.
- Required scans.
- Severity level of vulnerabilities detected during scans.
- Identify number of vulnerabilities for blocking purposes.
- Click Save.