Skip to main content

View scanned and running images

The Images Assurance board in Manager UI provides lists for scanned images and running images.

In the left navbar in Manager UI, click Image Assurance, All Scanned Images.

All Scanned Images tab

This tab lists scanned images if you have enabled or used one of the Image Assurance scanners.

Running Images tab

The tab lists active container images for all connected managed clusters. It provides the CVEs associated with running pods to help you assess pod vulnerability. This tab is disabled by default.

To enable Running Images, click the Setting icon in the top right corner, then select Enable Runtime View.


If you are using the CLI scanner and your cluster does not use the default containerd socket path (/run/containerd/containerd.sock), you must change the path to allow the Running Images service to collect image information. To update the CRI socket path for a cluster, run the following command:

kubectl patch imageassurance default --type='merge' -p '{"spec":{"criSocketPath":"<path-to-cri-socket>"}}'

For details, see the Image Assurance installation reference.

Other notes:

  • The columns, Clusters and Running Instances, show the number of running instances in clusters that are connected to Calico Cloud.
  • The Unknown scan result filter reflects images that are not fully scanned. Because they can add noise to the table, they are disabled by default. To enable Unknown results for strategic troubleshooting, click the Result drop-down menu and select Unknown.
  • In the All Scanned Images and Running Images tabs, the Registry path field may be blank if Calico Cloud cannot access this metadata. For example, images from Docker Hub do not specify the registry in the image metadata.
  • Any exceptions configured for image scanning will be applicable to Runtime View as well.

Image assessment: Pass, Warn, and Fail

The Image Assurance image assessment is based on the Common Vulnerability Scoring System v3 (CVSS Scores). The following table shows how Image Assurance scores map to CVSS scores.

CVSS v3 scoresImage Assurance mappingDefault settings
0.0 – (None)
0.1 – 3.9 (Low)
Pass = 3.9Low
4.0 – 6.9 (Medium)Warn = 7Medium severity – 7
7.0 – 8.9 (High)
9.0 – 10.0 (Critical)
Fail = 8.0Critical or high – 8

CVEs without a CVSS v3 score (too old to have one, or are too new to be assigned one), display a blank score in the UI, and N/A in the CLI.

Changing the default CVSS threshold values

The following default threshold values will work for the majority of Calico Cloud deployments. However, you may need to change the defaults because of security requirements.


To change the CVSS threshold values, note the following:

  • Changes to threshold values take effect immediately and alter the scan results for images already in the system
  • If you are using admission controller policies, changing a value may allow pods in your Kubernetes cluster that were previously being blocked, to now be deployed or vice versa.

Export results

From each tab, you can export data or a JSON file with image URLs. Exporting data is based on the images in the list and the current filter selections. CSV table options include:

  • Export one row per image - export one row for each image with all associated CVEs condensed into a single column.
  • Export one row for each image and CVE ID - export a unique image plus CVE combination for each row. For example, if an image has 10 CVEs, 10 rows are created (1 for each CVE).

Images without associated CVEs are not included in the exported data (regardless if they are included by filters).

Next steps