View scanned and running images
The Images Assurance board in Manager UI provides lists for scanned images and running images.
In the left navbar in Manager UI, click Image Assurance, All Scanned Images.
All Scanned Images tab​
This tab lists scanned images if you have enabled or used one of the Image Assurance scanners.
Running Images tab​
The tab lists active container images for all connected managed clusters. It provides the CVEs associated with running pods to help you assess pod vulnerability. This tab is disabled by default.
To enable Running Images, click the Setting icon in the top right corner, then select Enable Runtime View.
If you are using the CLI scanner and your cluster does not use the default containerd socket path (/run/containerd/containerd.sock), you must change the path to allow the Running Images service to collect image information. To update the CRI socket path for a cluster, run the following command:
kubectl patch imageassurance default --type='merge' -p '{"spec":{"criSocketPath":"<path-to-cri-socket>"}}'
For details, see Image Assurance installation reference.
Other notes:
- The columns, Clusters and Running Instances, show the number of running instances in clusters that are connected to Calico Cloud.
- The Unknown scan result filter reflects images that are not fully scanned. Because they can add noise to the table, they are disabled by default. To enable Unknown results for strategic troubleshooting, click the Result drop-down menu and select Unknown.
- In the All Scanned Images and Running Images tabs, the Registry path field may be blank if Calico Cloud cannot access this metadata. For example, images from Docker Hub do not specify the registry in the image metadata.
Image assessment: Pass, Warn, and Fail​
The Image Assurance image assessment is based on the Common Vulnerability Scoring System v3 (CVSS Scores). The following table shows how Image Assurance scores map to CVSS scores.
| CVSS v3 scores | Image Assurance mapping | Default settings |
|---|---|---|
| 0.0 – (None) 0.1 – 3.9 (Low) | Pass = 3.9 | Low |
| 4.0 – 6.9 (Medium) | Warn = 7 | Medium severity – 7 |
| 7.0 – 8.9 (High) 9.0 – 10.0 (Critical) | Fail = 8.0 | Critical or high – 8 |
CVEs without a CVSS v3 score (too old to have one, or are too new to be assigned one), display a blank score in the UI, and N/A in the CLI.
Changing the default CVSS threshold values​
The following default threshold values will work for the majority of Calico Cloud deployments. However, you may need to change the defaults because of security requirements.
To change the CVSS threshold values, note the following:
- Changes to threshold values take effect immediately and alter the scan results for images already in the system
- If you are using admission controller policies, changing a value may allow pods in your Kubernetes cluster that were previously being blocked, to now be deployed or vice versa.
Export results​
From each tab, you can export data or a JSON file with image URLs. Exporting data is based on the images in the list and the current filter selections. CSV table options include:
- Export one row per image - export one row for each image with all associated CVEs condensed into a single column.
- Export one row for each image and CVE ID - export a unique image plus CVE combination for each row. For example, if an image has 10 CVEs, 10 rows are created (1 for each CVE).
Images without associated CVEs are not included in the exported data (regardless if they are included by filters).
Exclude vulnerabilities from image scan assessment​
You can exclude specific vulnerabilities from the image scan assessment (for example, a false positive). You can exclude a vulnerability for an image version, all images in the same repo, or all images in the system.
Excluding vulnerabilities from image assessment can significantly change how Image Assurance determines image health and can create actions you need to take to stabilize your workflow.
- Maximum CVSS score - an image’s maximum CVSS score may be reduced to a lower score. An exception could eliminate the vulnerability with the highest CVSS score for an image.
- Scan results - scan results for Pass/Warn/Fail could change because they are based on the maximum CVSS score. For example, Fail could change to Warn, and Warn could change to Pass.
- Vulnerability global alerts - alerts may no longer be triggered. Alerts are triggered based on scan results or maximum CVSS score values of images.
- Admission controller policies - pods could be created where they were previously blocked. Admission controller policies are based on vulnerability information (scan result and/or maximum CVSS score).
To create a vulnerability exception:
- Go to Image Assurance, All Scanned Images.
- Select an image from the list.
- On the panel, open the Package, and click Actions, Add Exception.
- Enter the required information and click Save. The exception is immediately applied to your scan results.
To view the list of vulnerability exceptions, go to the left navbar: Image Assurance, Vulnerability Exceptions.
Next steps​
- Set up alerts on vulnerabilities
- Create policy to block vulnerable containers from deploying to your cluster