About Vulnerability Scans
Vulnerability Scans scan your container repository service images or Virtual Machine (VM) instances for Common Vulnerabilities and Exposures (CVEs). Skyhigh Cloud Native Application Protection Platform (CNAPP) scans your services to identify the software stored in the container images or running on the VMs. If CNAPP detects vulnerabilities for the supported software, they are reported as incidents.
Vulnerability Scans are based on the Common Vulnerability Scoring System (CVSS), which assigns industry-standard scores to vulnerabilities. CNAPP uses CVSSv2 and CVSSv3, defaulting to CVSSv3 when there are differences.
KNOWN ISSUE: There are changes in the reported Vulnerability Severity as CNAPP upgrades from CVSSv2 to CVSSv3.
Vulnerability Scans appear as an option while creating an on-demand scan. They can be configured to run on-demand or scheduled to run daily, or weekly.
When you configure your Vulnerability Scan, select Container Images or VM instances:
- Container Images. Scans container repository services, including Amazon Elastic Container Registry (ECR), Azure Container Registry (ACR), and Google Container Registry (GCR).
- VM Instances. Scans running virtual machine hosts, including Amazon Elastic Compute Cloud (EC2), Azure Virtual Machines (VMs), and Google Cloud Platform (GCP) VM instances. You can also scan containers running on a VM for vulnerabilities. (This only identifies vulnerabilities that are introduced into the runtime containers in comparison to what is identified in the image.)
- Clusters. As part of the VM Instances selection, you can also scan Amazon EKS Kubernetes, Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE) main and secondary nodes for vulnerabilities when you select VM instances. The main node is scanned by default, and you can add Tags to specify any secondary nodes.
- Create a Vulnerability Scan for Container Images
- Create a Vulnerability Scan for Virtual Machines
- Create and manage your Vulnerability Policies on the Vulnerability Policies Page.
Before you can create a Vulnerability Scan for VMs, you must install Skyhigh Security Cloud Workload Protection Platform (CWPP) POPs and CWPP Agents on the endpoints. The agents discover applications on the endpoints and send this data to CNAPP to build the app inventory. Currently, only Linux is supported.
CWPP POPs and Agents are not needed for container images.
Supported Operating Systems
The following operating systems are supported for Vulnerability Scans:
- Alpine. v3.2, v3.3, v3.4 to v3.12
- Amazon Linux. 2, 2018.03
- Centos/RHEL. 5, 6, 7, 8
- Debian. 9, 10, 11
- Oracle Linux. 5, 6, 7, 8
- Ubuntu. 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10,16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04
Supported Container Platforms
CNAPP relies on the National Vulnerability Database (NVD) to provide the latest Common Vulnerability and Exposures (CVEs). Currently, the CVE database includes the following versions:
- Docker. CVEs for all versions up to 20.10
- Kubernetes. CVEs for all versions up to v1.20
CNAPP supports the following container runtimes:
- dockerd. Supported for Vulnerability Assessment, Configuration Audit, and all other CNAPP features.
- containerd. Supported for Vulnerability Assessment.