Choose an image scanning method
Big picture​
Scan images and Kubernetes workloads for vulnerabilities using Calico Cloud Image Assurance.
Value​
Calico Cloud Image Assurances helps you identify vulnerabilities in container images that you deploy to Kubernetes clusters. Vulnerabilities are known flaws in libraries and packages used by applications that attackers can exploit and cause harm. With Image Assurance you can:
- Scan an image for vulnerabilities
- Assess the impact of newly-found vulnerabilities and prioritize remediation efforts
- Catch vulnerabilities days or weeks later with continuous image rescanning
- Create exceptions to ignore specific vulnerabilities
- Create alerts on high-severity vulnerabilities so you can delegate remediation efforts to the appropriate team
- Block non-compliant workloads using policy as part of your cloud-native security posture
About Image Assurance​
Image Assurance is based on the Common Vulnerabilities and Exposures (CVE) system, which provides a catalog of publicly-known security vulnerabilities and exposures. Known vulnerabilities are identified by a unique CVE ID based on the year it was reported (for example, CVE-2021-44228).
Scanned image content includes:
- Libraries and content (for example, python, ruby gems, jars and go)
- Packages (OS and non-OS)
- Image layer
Image scanning options​
Image Assurance provides different versions of the scanner to accommodate different use cases as shown in the following table.
| Scan images in... | Description | Scanner access | Benefits |
|---|---|---|---|
| Kubernetes cluster | Scan any running image in the Kubernetes cluster including locally-built first-party images to fix critical bugs. | Runs automatically in the managed cluster in Manager UI | The Image Assurance dashboard provides an easy way to get started with vulnerability scanning and remediation, and defense-in-depth coverage without building your own scanning solution. |
| CI/CD pipeline | Integrate the CLI scanner in your application build pipeline and private registries including: - Customer-built images - Local images - Third-party images from public registries (for example Kafka, Redis) | A downloadable binary | Incorporate the scanner as a lightweight runner in your build pipeline. Use the scanner offline and on-demand for ad hoc scanning and emergency patching. |
| Image registries | Scan images in registries (for example, Amazon ECR). | A downloadable Docker image | Add a layer of defense for images that were not scanned in your build pipeline, but get published to your registry. |