Working with images from registers

The Resources → Registries section contains a list of image repositories scanned by Kaspersky Container Security and the image scan results. The list includes images from registries integrated with Kaspersky Container Security. You can add images to the list automatically or manually.

The list of images is empty until you configure integration with registries and settings for pulling and scanning images for the registry in the Administration section.

The list of images is displayed as a table, the images are grouped by repositories.

You can perform the following actions in the Resources → Registries section:

• Search for images by name or checksum.

  A search is conducted only in the selected active image registry. If the sought image is absent from the selected registry but is part of a different registry, the search gives no results.

• Filter the list to display images that match the specified criteria:
  • Images only from the specified registries;
  • Images that comply with or fail to comply with benchmarks;
  • Images scanned during a specified period of time;
  • Images for which the specified risks are identified.
• Start rescanning of the specified images (the Rescan button is displayed above the table after you select one or more images).
• Generate reports on selected images (the Create report button is displayed above the table after you select one or more images).
• Add images to the list and remove images from the list.
• View detailed information about the image scanning results.

Adding and removing images

Images from the registries integrated with Kaspersky Container Security can be added to the list of images automatically, in line with the configured settings for pulling and scanning images for each registry. You can also add images to the list of images from registries manually. New images are queued for scanning.

To manually add images to the list:

1. In the Resources → Registries section, click the Add images button above the table.

   You cannot add images to an image registry that is created at the request of the external Harbor registry.

2. In the displayed window, select a registry from the Registry drop-down list.
3. In the Search field, enter the name or part of the name of the repository or image and click the Search button.
4. Under Repositories, select a repository.
5. Under Image tags, select images using check boxes.

   You can select images from several repositories.

6. Click the Add images button.

To optimize the load on image registries, a list of images in the connected registries is generated every 10 minutes. After a new image appears in the registry, its appearance in the Kaspersky Container Security interface may be delayed by the specified period.

To remove images from the list:

1. In the Resources → Registries section, do one of the following:
   • Select one or more images that you want to remove from the list and start removal using the Delete link located above the table.
   • In the list, select the repository of images you want to delete, open the action menu on the row with the repository name, and select Delete repository.
2. In the window that opens, confirm the deletion.

Viewing image scanning results from registries

Summary information about the scan results of all images in the repository and each specific image is displayed in the list of images within repositories in the Resources → Registries section.

Click the image name link to open a page with detailed information on image scanning results.

The tabs at the top of the window contain the following information:

• The Risk tab provides a summary of the scanning results. If threats are detected during scanning, recommended actions to protect the image are available at the bottom of the page. Click the Rescan image button to repeat scanning of the image.
• The Vulnerabilities tab shows the vulnerabilities detected in the image. Clicking the link in the name of the vulnerability can open a detailed description of the vulnerability and find out if it has an
  exploit

  Program code that takes advantage of some vulnerability in the system or in application software. Exploits are frequently used to install malware on a computer without the user's knowledge.

  .

  Kaspersky Container Security receives a description of vulnerabilities from the connected vulnerabilities database. The description is provided in the language of the vulnerabilities database. For example, a description of vulnerabilities from the NVD is displayed in English.
  The classification of vulnerabilities in the solution matches the classification used in the connected vulnerabilities database.

• The Layers tab displays layers used in the image with the specification of identified vulnerabilities. Click the layer name link to open a detailed description of the identified vulnerabilities.
• The Resources tab demonstrates resources (components) with the specification of identified vulnerabilities. Click the resource name link to open a detailed description of the identified vulnerabilities.
• Malware Scan lists malware that the scan detected in the image. Click the malware name link to open a detailed description.
• The Sensitive data tab shows sensitive data (secrets) found in the image such as passwords, access keys, or tokens.
• The Misconfigurations tab displays detected image misconfigurations that constitute a threat. Click the misconfiguration name link to open a detailed description.
• The Information tab provides the basic information about the image and image history.
• The Hash scan history displays the latest scan results for each version of the image. The results are updated if the same version of an image is scanned, or they are added in a separate row of the table if a different version of the image is scanned.

The following information is displayed for each image:

• Status of compliance with security policy requirements
• Risk rating with an indication of the risk severity level.
• Date and time of the last scan.
• The number of objects containing vulnerabilities, malware, sensitive data, and misconfigurations in the image. For vulnerabilities, the number of objects is indicated separately for each identified risk severity level.
• The results of image scanning using the appropriate security policies within the current scopes.

If an image is included in the registry of images created during integration with the solution by Harbor request, the solution indicates this and marks the image with the Harbor icon ().

By clicking the Create report button, you can generate a detailed report on images. You can also initiate a rescanning of the image by clicking the Rescan button.

Rescanning is not available for images received by Kaspersky Container Security from the image registry created during integration with the solution by Harbor request.

You can accept each identified risk.

Detailed information about detected vulnerabilities

The list of vulnerabilities detected during image scans is presented as a table on the Vulnerabilities tab in the image scan results window. For each vulnerability, the following information is provided:

• Vulnerability entry identifier The identifier is given in the CVE-YYYY-X... format, where:
  • CVE is a prefix that indicates that the vulnerability is included in the database of known vulnerabilities and security defects.
  • YYYY is the year when the vulnerability was reported.
  • X... is the number assigned to the vulnerability by authorized bodies.
• The vulnerability's severity level based on its risk rating.

  If a vulnerability contains an exploit, an exploit icon () is displayed next to the severity level.

• Installed containerized resource in which the vulnerability was detected.
• Whether a fix for the vulnerability is available from the vendor. The solution shows the version number that has the fix, or indicates that no fix is available.

You can accept the risk of the vulnerability by clicking the Accept button in the Risk acceptance column.

To accept risks, risk management rights are required.

To view detailed information about a detected vulnerability:

1. Click the link with the vulnerability record ID in one of the following sections:
   • On the Vulnerabilities tab in the image scan results window.
   • In the Vulnerabilities block on the dashboard.
   • In the table with the complete list of vulnerabilities in the Investigation → Vulnerabilities section.
2. This opens the sidebar with the following information about the detected vulnerability:
   • Vulnerability entry identifier
   • Description of the vulnerability from the vulnerability database. The description is provided in the language of the vulnerabilities database. For example, descriptions of vulnerabilities from the NVD are displayed in English.
   • The General information tab displays the following:
     • The vulnerability's severity level based on its risk rating.
     • Installed resource in which the vulnerability was detected.
     • Vulnerability severity score based on the
       CVSS

       Common Vulnerability Scoring System is an open standard for scoring vulnerabilities. CVSS specifies a set of metrics and formulas for scoring vulnerability severity, with values from 0 (minimum) to 10 (maximum). CVSS makes it possible to allocate vulnerability response efforts based on vulnerability severity.

       open standard in the
       NVD

       The National Vulnerability Database is the United States Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.

       ,
       VDB

       The Data Security Threats Database (also known as BDU) is a national vulnerability database maintained by the Russian Federal Service for Technical and Export Control (FSTEC).

       , and
       RED OS

       Russian general-purpose operating system RED OS supports scanning for vulnerabilities that can threaten the functioning of services and workstations.

       vulnerability databases, as well as the final consolidated vulnerability severity score.
   • The Artifacts tab displays detailed information on artifacts for images from registries and the runtime or CI/CD objects and indicates how many artifacts there are.

     The block for an image from a registry or runtime shows the following information:

     • Image object type and the name of the image. If autoprofiles were created based on the checksum of this image, an autoprofile icon () appears next to the image name.

       By clicking on the image name, you can go to a page containing detailed information about the image scan results.

       To view detailed information, you need the rights to view the image scan results.

     • Operating system of the image.
     • Compliance status of the image: Compliant or Not-compliant.
     • Risk rating.
     • Date and time of the last time the image was scanned
     • Date and time when the vulnerability was first detected in the image.

     The block for an object from the CI/CD pipeline shows the following information:

     • Object type, which corresponds to the artifact type, and the object name.

       By clicking the name of an artifact, you can go to a page containing detailed information about the results of scanning objects at the project building stage.

       To view detailed information, you need the rights to view the results of scanning objects in CI/CD processes.

     • Operating system in which the object was scanned.
     • Compliance status of the image: Compliant or Not-compliant.
     • Risk rating.
     • Date and time of the last object scan
     • Date and time when the vulnerability was first detected in the object.
     • Timestamp for scanning the object in a CI/CD process.
   • The Workloads tab displays a list of the pods containing images with the vulnerability and how many of them there are. For each object, the following information is provided:
     • Name of the cluster containing the pod in whose image or images the vulnerability was detected.
     • Name of the namespace containing the pod in whose image the vulnerability was detected.

       If you click the namespace name, the solution will open the namespace's side panel from the graph.

     • Name of the pod in whose image the vulnerability was detected.

       If you click the namespace name, the solution will open the pod's side panel from the graph.

   • The Risk acceptance tab displays the following information:
     • Risk acceptance date.
     • Risk acceptance period.
     • Subset.
     • Person who initiated risk acceptance.
     • Reason for risk acceptance.

     The Risk acceptance tab is available if you have rights to view accepted risks.

     For each accepted risk, you can do the following:

     • Click the icon to set the duration of the risk acceptance.
     • Click the icon to cancel the risk acceptance.

     This tab also lets you use the Add risk acceptance button to add a risk acceptance for the vulnerability.

     The "Manage risks" rights are required to edit the risk acceptance settings.

Page top

Detailed information about detected malware

If image scanning detects malware, the solution displays this on the page with information about the image scan results. To view detailed information about a detected malicious object, in the window with image scan results, select the Malware scan tab.

For each object, the solution generates the MD5 or SHA256 hash and indicates the path to the location where it was detected.

You can view detailed information about detected malicious objects in the cyberthreat databases created in

A page with a threat description on the Kaspersky OpenTIP portal is publicly available. Users must enter their account credentials to access Kaspersky TIP.

Page top

Misconfiguration control of images

Kaspersky Container Security allows detecting misconfigurations in configuration files using the configuration file scanner. This scanner can scan images, file systems, and repositories that contain

Kaspersky Container Security scans the following configuration files:

• Configuration files of Kubernetes objects.
  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • DeploymentConfig
  • StatefulSet
  • DaemonSet
  • CronJob
  • Job
  • Services
  • ConfigMaps
  • Roles and СlusterRoles rights and commands
  • ClusterRoleBindings and RoleBindings
  • Network policy (ingress and egress connections)
• Configuration files of cluster components.
• Configuration files of images.
• Configuration files of Amazon cloud environment services.
  • Amazon IAM policies
  • API Gateway
  • Amazon Athena
  • Amazon CloudFront
  • Amazon CloudTrail
  • Amazon CloudWatch
  • Amazon CodeBuild
  • Amazon Config
  • Amazon DocumentDB databases
  • Amazon DynamoDB Accelerator
  • Amazon Elastic Compute Cloud
  • AWS Elastic Container Registry
  • Amazon Elastic Container Service
  • Amazon Elastic File System
  • Amazon Elastic Kubernetes Service
  • Amazon ElastiCache
  • Amazon Elasticsearch
  • Amazon Elastic Load Balancing
  • Amazon Elastic MapReduce
  • Amazon Identity and Access Management.
  • Amazon Kinesis
  • Amazon Key Management Service
  • Amazon Lambda
  • Amazon MQ Broker
  • Amazon Managed Streaming for Apache Kafka
  • Amazon Neptune
  • Amazon Relational Database Service
  • Amazon Redshift
  • Amazon Simple Storage Service
  • Amazon Serverless Application Model
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • Amazon Secrets Manager
  • Amazon Workspaces

• Configuration files of Azure cloud environment services.
  • Azure App Service
  • Azure Compute
  • Azure Container Service
  • Azure SQL Database
  • Azure Data Factory
  • Azure Data Lake
  • Azure Key Vault
  • Azure Monitor
  • Services responsible for the network interaction of Azure
  • Azure Security Center
  • Azure Storage
  • Azure Synapse Analytics
  • Azure IAM policies
• Configuration files of the DigitalOcean cloud environment.
• Configuration files of the ApacheCloudStack cloud environment.
• Configuration files of Terraform GitHub Provider.
• Configuration files of Google cloud environment services.
  • Google BigQuery
  • Google Compute Engine
  • Google Cloud DNS
  • Google Cloud IAM policies
  • Google Cloud Key Management Service
  • Google Cloud SQL
  • Google Cloud Storage
• Configuration files of Nifcloud Provider.
  • Computing
  • DNS
  • NAS
  • Network
  • Rdb
  • SSL certificates
• Configuration files of OpenStack.
  • Computing
  • Networking
• Configuration files of Oracle Compute Cloud.

The following table lists the types of configuration files and configuration files formats that Kaspersky Container Security supports.

Types and formats of configuration files

Page top

About risk rating

A scan conducted by Kaspersky Container Security results in rating a risk of the scanned object. While scanning, the solution may detect all or some of the following security issues in objects:

• Vulnerabilities
• Malware
• Sensitive data
• Misconfigurations

Each risk detected is assigned one of the following risk ratings, based on the severity of the security threats:

• Negligible.
• Low.
• Medium.
• High.
• Critical.

If no security issues are detected during scanning, such an image is considered secure and is marked as Ok.

Risk ratings of the detected vulnerabilities, malware, sensitive data, or misconfigurations correspond to the ratings specified in the security threat databases, which are used for scanning (for example, NVD and Data Security Threats Database). These vulnerability and threat databases use special scoring scales to assess the severity of security threats. For example, the Common Vulnerability Scoring System (CVSS) is applied in the NVD.

The object is assigned the highest severity level of all the detected with an appropriate risk rating.

For example, the following security threats were detected during an object scan:

• vulnerabilities with the low level of severity;
• sensitive data with the high and critical levels of severity;
• configuration errors with the medium severity level;
• malware with the low severity level.

Here, the risk rating is critical in accordance with the highest severity level of the detected threats.

Risk handling

Threats identified by Kaspersky Container Security (vulnerabilities, malware, sensitive data, and misconfigurations) are subject to the Risk acceptance procedure. If you accept the risk of a threat, it will not be considered by assurance policies when determining image security status (Compliant/Non-compliant with security policies) during the specified acceptance period. Image scanning continues to detect the threat, but does not label the image as Non-compliant.

If you accept the risk of a vulnerability detected in an image, this risk is accepted for the specific image registry. If the risk is accepted for all vulnerabilities in an image, the image is deemed compliant with security policy requirements and is given Compliant status.

If you change the settings of the assurance policy applied to images, the image security status also changes.

The risk from a threat is accepted for a period of 30 days by default. You can extend the period during which the risk is considered accepted. You can also cancel risk acceptance at any time. If you cancel risk acceptance, the associated threat will again affect the security status of the image.

You can view the list of all accepted risks in the Policies → Risk acceptance section.

Risk acceptance

You can accept the risks found by the solution taking into account the following:

• In case of vulnerabilities, configuration errors, and sensitive data, you can accept risks with all severity levels.
• In case of malware, you can accept risks only with the Medium, Low, and Negligible severity levels.

  You cannot accept risks with the High and Critical severity levels.

You can accept risk in the following sections:

• In the Image scan results window, risks associated with all threat types (vulnerabilities, malware, misconfigurations, and sensitive data) detected by scanning a specific image can be accepted.
• In the Investigation → Vulnerabilities section, risks are accepted for all vulnerabilities detected by the solution. Risks are accepted in relation to all artifacts detected during the scanning process, including CI/CD objects.

To accept risks, risk management rights are required.

To accept a risk based on image scan results:

1. In the image scan results window, open the tab with information about the required threat type.
2. In the table, select a threat and click the Accept button in the Risk acceptance column.
3. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • For the selected image with the detected risk;
     • For all images in the repository containing the image with the detected security threat;
     • For all images in which this security threat has been or will be detected.
   • Specify the period after which this security threat must be considered again when determining the image security status.
   • Specify the reason for risk acceptance.
4. Click the Accept button.

The selected threat does not affect the security status of this specific image, images in the repository, or all images for the defined number of days (or for an unlimited term).

An accepted risk can be viewed in the Policies → Risk acceptance section.

To accept the risk of a detected vulnerability:

1. Click the vulnerability record ID in one of the following sections:
   • On the Vulnerabilities tab in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. In the sidebar that opens, go to the Risk acceptance tab.

   The Risk acceptance tab is available if you have rights to view accepted risks.

3. Click the Add risk acceptance button.
4. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • for the selected artifact (image or CI/CD object)
     • for the repository containing the object with the detected vulnerability
     • for artifacts in which this vulnerability is currently detected
     • for all artifacts, including artifacts that the solution may find during subsequent scans.

     The risk is assumed regardless of the scope.

   • Specify a period from 1 to 999 days after which the risk acceptance for this vulnerability will be revoked. By default, the period is 30 days.
   • Specify the reason for risk acceptance.
5. Click the Add button.

The accepted risk for the vulnerability is displayed on the Risk acceptance tab. It can also be viewed in the Policies → Accepted risks section.

Viewing information about accepted risks

The list of all accepted risks is displayed in the Policies → Risk acceptances section.

You can use the list to do the following:

• Search by risk name, repository name, image, or resource where the risk is detected.
• Filter the list by risk type and manufacturer fix availability.
• Generate a Risk acceptance report by clicking the Create report button above the table.
• Sort the list by date of acceptance, risk name, scope (applied to all images or just one image), and acceptance period. Sorting is performed using the () sort icon.
• View detailed information about risk acceptance and the associated threat. Click the risk name link to open the window with the related detailed information.

Use the buttons in the detailed information window to do the following:

• Specify or extend the time period after which this security threat must be considered again when determining image security status.
• Cancel risk acceptance.

You can also view information about the accepted risk in the list of detected threats in the image scanning results. In the row with the threat with accepted risk, you can find the time of risk acceptance. You can click the link to open a window with detailed information about the risk acceptance and the associated threat.

Information about risk acceptance for a specific vulnerability is also indicated in the table with the list of all vulnerabilities detected by the solution in the Investigation → Vulnerabilities section. The Risk acceptance column displays the number of artifacts (images, CI/CD objects) for which the risk was accepted.

To view the accepted risks of a vulnerability, you need the "View accepted risks" rights.
Information about accepted risks is shown regardless of scopes.

More detailed information on each accepted risk for a specific vulnerability is provided in the detailed description of the vulnerability on the Risk acceptance tab.

Cancelling risk acceptance

To cancel risk acceptance:

1. In one of the following sections, open the table with the list of objects in which the risk was detected:
   • On the tab corresponding to the risk in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. Select a risk and click the Edit button in the Risk acceptance column.

   The Edit button is shown only for previously accepted risks.

3. Click the Revoke button and confirm your action in the window that opens.

You can also revoke risk acceptance for vulnerabilities from the window with detailed information about the vulnerability by clicking the icon on the Risk acceptance tab.

Canceling risk acceptance means that the associated threat will again affect the security status of the image(s) for which the risk was accepted.

Scanning Java packages in images

Kaspersky Container Security can scan Java packages contained in registry images. For this purpose, the solution uses Java vulnerability databases.

Scanning for Java packages is available in Kaspersky Container Security v1.2.1 and later. If you have an earlier version installed, you must update the solution to v1.2.1. to use this functionality.

You can configure scanning of Java packages by setting the value of the ENABLE_JAVA_VULN environment variable in the values.yaml file. If ENABLE_JAVA_VULN = true, Kaspersky Container Security performs scanning using the Java vulnerability databases. If ENABLE_JAVA_VULN = false, Java packages are not scanned.

By default, ENABLE_JAVA_VULN is set to false.

Starting from v1.2.1, the kcs-updates component provided in the distribution kit contains Java vulnerability databases. Using this component, you should make sure that the environment variables in the values.yaml file are defined as follows:

ENABLE_JAVA_VULN = true
KCS_UPDATES_TAG=vХ.Х.Х (the value of the version variable is specified in accordance with the version of the solution)
KCS_UPDATES=true

If Java packages scanning is activated (ENABLE_JAVA_VULN = true), the kcs-scanner solution component downloads Java vulnerability databases and notifies the kcs-middleware and kcs-ih components accordingly. Then the kcs-ih component receives the database files from kcs-scanner, assembles and validates the database, and uses it during scanning.

Vulnerabilities found using the Java vulnerability database are displayed in the image scanning results.

Kaspersky Container Security can also scan Java packages in images in external registries and during the CI/CD process when an external scanner is used. In this case, you must use the scanner with the vХ.Х.Х-with-db-java tag, which contains a pre-installed Java vulnerability database. The specified scanner is configured and used similarly to the vХ.Х.Х-with-db scanner.

Page top