Skip to main content
Calico Cloud documentation

Choose an image scanning method

Big picture

Scan images and Kubernetes workloads for vulnerabilities using Calico Cloud Image Assurance.

Value

Calico Cloud Image Assurances helps you identify vulnerabilities in container images that you deploy to Kubernetes clusters. Vulnerabilities are known flaws in libraries and packages used by applications that attackers can exploit and cause harm. With Image Assurance you can:

  • Scan an image for vulnerabilities
  • Assess the impact of newly-found vulnerabilities and prioritize remediation efforts
  • Catch vulnerabilities days or weeks later with continuous image rescanning
  • Create exceptions to ignore specific vulnerabilities
  • Create alerts on high-severity vulnerabilities so you can delegate remediation efforts to the appropriate team
  • Block non-compliant workloads using policy as part of your cloud-native security posture

About Image Assurance

Image Assurance is based on the Common Vulnerabilities and Exposures (CVE) system, which provides a catalog of publicly-known security vulnerabilities and exposures. Known vulnerabilities are identified by a unique CVE ID based on the year it was reported (for example, CVE-2021-44228).

Scanned image content includes:

  • Libraries and content (for example, python, ruby gems, jars and go)
  • Packages (OS and non-OS)
  • Image layer

Image scanning options

Image Assurance provides different versions of the scanner to accommodate different use cases as shown in the following table.

Scan images in...DescriptionScanner accessBenefits
Kubernetes clusterScan any running image in the Kubernetes cluster including locally-built first-party images to fix critical bugs.Runs automatically in the managed cluster in Manager UIThe Image Assurance dashboard provides an easy way to get started with vulnerability scanning and remediation, and defense-in-depth coverage without building your own scanning solution.
CI/CD pipelineIntegrate the CLI scanner in your application build pipeline and private registries including:
- Customer-built images
- Local images
- Third-party images from public registries (for example Kafka, Redis)		A downloadable binaryIncorporate the scanner as a lightweight runner in your build pipeline. Use the scanner offline and on-demand for ad hoc scanning and emergency patching.
Image registriesScan images in registries (for example, Amazon ECR).A downloadable Docker imageAdd a layer of defense for images that were not scanned in your build pipeline, but get published to your registry.