Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 12. Examining images for vulnerabilities

With Red Hat Advanced Cluster Security for Kubernetes, you can analyze images for vulnerabilities by using the RHACS Scanner V4, or you can configure an integration to use another supported scanner.

12.1. Scanning in RHACS
Copy link

RHACS scanners analyze each image layer to find packages and match them against known vulnerabilities by comparing them with a vulnerability database populated from different sources. These sources include Red Hat Vulnerability Exchange (VEX), the National Vulnerability Database (NVD), the Open Source Vulnerabilities (OSV) database, and operating system vulnerability feeds.

Note

RHACS uses the OSV database available at OSV.dev under Apache License 2.0.

RHACS contains two scanners: Scanner V4 and the StackRox Scanner.

Scanner V4, built on Claircore, is the default scanner as of release 4.8. The StackRox Scanner, which originates from a fork of the Clair v2 open source scanner, is deprecated. Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies.

Note

When this documentation uses the term "RHACS scanner" or "Scanner", it refers to Scanner V4.

When the RHACS scanner finds any vulnerabilities, it performs the following actions:

  • Shows them in the Vulnerability Management view for detailed analysis
  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment
  • Checks them against enabled security policies

The RHACS scanner inspects the images and identifies the installed components based on the files in the images. It might fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Expand
ComponentsFiles

Package managers

  • /etc/alpine-release
  • /etc/lsb-release
  • /etc/os-release or /usr/lib/os-release
  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release
  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.
  • dist-info or egg-info for Python.
  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/
  • dotnet/shared/Microsoft.NETCore.App/

12.2. About Scanner V4
Copy link

RHACS provides its own scanner, Scanner V4, or you can configure an integration to use RHACS with another vulnerability scanner.

Built on Claircore, Scanner V4 provides scanning for language and operating system-specific image components and scanning Red Hat Enterprise Linux CoreOS (RHCOS).

Note

Beginning with release 4.6, due to changes in vulnerability sources used, Scanner V4 only considers vulnerabilities affecting Red Hat products dated back to 2014. Previously, when reading Red Hat’s OVAL data, the vulnerabilities dated back to before 2000.

12.3. Enabling Scanner V4
Copy link

Scanner V4 is enabled by default when RHACS is newly installed. However, if you have not previously enabled Scanner V4 and are upgrading from version 4.7 or earlier, you must enable it explicitly during the upgrade to use it.

You can enable Scanner V4 after installation by using the Operator or Helm.

If Scanner V4 was not enabled during installation, you can enable it after installation.

Procedure

  1. In the cluster where Central is installed, in the console, click Ecosystem Installed Operators and select the RHACS Operator.
  2. Click Central in the menu bar.
  3. Click the name of the cluster where Central was installed. The default value is stackrox-central-services.
  4. Click the YAML tab.

  5. Edit the YAML file as shown in the following example: 

      scannerV4:
    scannerComponent: Enabled
    Copy to Clipboard Toggle word wrap

You can enable Scanner V4 after installation.

Prerequisite

  • You set up Central and the secured cluster by using a CRS or an init bundle so that they can communicate with each other.

Procedure

  1. In the secured cluster, click Ecosystem Installed Operators and select the RHACS Operator.
  2. Click Secured Cluster in the menu bar.
  3. Click the default cluster name, stackrox-secured-cluster-services, or the name that you entered during installation.
  4. Click the YAML tab.

  5. Edit the YAML file as shown in the following example: 

      scannerV4:
    scannerComponent: AutoSense
    Copy to Clipboard Toggle word wrap

You can enable Scanner V4 when upgrading by using Helm by enabling setting the scannerV4.disable parameter to false.

Procedure

  1. On the cluster where Central is installed, run the following command, using the instructions in "Changing configuration options after deploying the central-services Helm chart" if you need more information: 

    $ helm upgrade -n stackrox \
    stackrox-central-services rhacs/central-services \
    --reuse-values \
    -f <path_to_values_public.yaml> \
    -f <path_to_generated-values.yaml> \
    --set scannerV4.disable=false
    Copy to Clipboard Toggle word wrap

    where:

    <path_to_generated-values.yaml>
    Specifies the path to the generated values YAML file. When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".

You can enable Scanner V4 when upgrading by using Helm.

Prerequisites

  • You set up Central and the secured cluster by using a CRS or an init bundle so that they can communicate with each other.

Procedure

  1. On the secured cluster, run the following command, using the instructions in "Configuring the secured-cluster-services Helm chart with customizations" if you need more information: 

    $ helm upgrade -n stackrox \
    stackrox-central-services rhacs/secured-cluster-services \
    --reuse-values \
    -f <path_to_values_public.yaml> \
    -f <path_to_generated-values.yaml> \
    --set scannerV4.disable=false
    Copy to Clipboard Toggle word wrap

    where:

    <path_to_generated-values.yaml>
    Specifies the path to the generated values YAML file. When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".

12.4. Scanning images
Copy link

Scanner V4 is the default scanner for RHACS. When scanning, it performs the following actions:

  • Central requests the Scanner V4 Indexer to download and index (analyze) given images.
  • Scanner V4 Indexer pulls image metadata from registries to determine the layers of the image, and downloads each previously unindexed layer.
  • Scanner V4 Indexer requests mapping files from Central that assist the indexing process. Scanner V4 Indexer produces in an index report.
  • Central requests that Scanner V4 Matcher match given images to known vulnerabilities. This process results in the final scan result: a vulnerability report. Scanner V4 Matcher requests the latest vulnerabilities from Central.
  • Scanner V4 Matcher requests the results of the image indexing, the index report, from Scanner V4 Indexer. It then uses the report to determine relevant vulnerabilities. This interaction occurs only when the image is indexed in the Central cluster. This interaction does not occur when Scanner V4 is matching vulnerabilities for images indexed in secured clusters.
  • The Indexer stores data in the Scanner V4 DB that is related to the indexing results to ensure that image layers are only downloaded and indexed once. This prevents unnecessary network traffic and other resource utilization.
  • When secured cluster scanning is enabled, Sensor requests Scanner V4 to index images. Scanner V4 Indexer requests mapping files from Sensor that assist the indexing process unless Central exists in the same namespace. In that case, Central is contacted instead.

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Expand
Table 12.1. Warning messages
MessageDescription

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

Important

If you are using a Red Hat container image, consider using a base image newer than June 2020.

12.4.2. Supported operating systems
Copy link

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions. For more information about the vulnerability databases used, see "Vulnerability sources" in "RHACS Architecture".

Expand
DistributionVersion

Alpine Linux

alpine:3.2[1],alpine:3.3, alpine:3.4, alpine:3.5, alpine:3.6, alpine:3.7, alpine:3.8, alpine:3.9, alpine:3.10, alpine:3.11, alpine:3.12, alpine:3.13, alpine:3.14, alpine:3.15, alpine:3.16, alpine:3.17, alpine:3.18, alpine:3.19, alpine:3.20, alpine:3.21[2], alpine:3.22[2], alpine:edge

Amazon Linux

amzn:2018.03, amzn:2, amzn:2023[2]

CentOS

centos:6[1], centos:7[1], centos:8[1]

Debian

debian:11, debian:12, debian:13[2], debian:unstable[1], Distroless

The following vulnerability sources are not updated by the vendor: debian:8[1], debian:9[1], debian:10[1]

Oracle Linux

ol:5[2], ol:6[2], ol:7[2], ol:8[2], ol:9[2]

Photon OS

photon:1.0[2], photon:2.0[2], photon:3.0[2]

Red Hat Enterprise Linux (RHEL)

rhel:6[3], rhel:7[3], rhel:8[3], rhel:9, rhel:10[2]

SUSE

sles:11[2], sles:12[2], sles:15[2], opensuse-leap:15.5[2], opensuse-leap:15.6[2]

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:22.04, ubuntu:24.04, ubuntu:25.04`[2]

The following vulnerability sources are not updated by the vendor: ubuntu:12.04[1], ubuntu:12.10[1], ubuntu:13.04[1], ubuntu:14.10[1], ubuntu:15.04[1], ubuntu::15.10[1], ubuntu::16.10[1], ubuntu:17.04[1], ubuntu:17.10[1], ubuntu:18.10[1], ubuntu:19.04[1], ubuntu:19.10[1], ubuntu:20.10[1], ubuntu:21.04[1], ubuntu:21.10[1], ubuntu:22.10[1], ubuntu:23.04[1], ubuntu:23.10[1], ubuntu:24.10[1]

  1. Only supported in the StackRox Scanner.
  2. Only supported in Scanner V4.
  3. Images older than June 2020 are not supported in Scanner V4.
Note

Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

12.4.3. Supported package formats
Copy link

Scanner can check for vulnerabilities in images that use the following package formats:

Expand
Package formatPackage managers

apk

apk

dpkg

apt, dpkg

rpm

dnf, microdnf, rpm, yum

12.4.4. Supported programming languages
Copy link

Scanner can check for vulnerabilities in dependencies for the following programming languages:

Expand
Programming languagePackage format

Go[1]

Binaries: The standard library version used to build the binary is analyzed. If the binaries are built with module support (go.mod), then the dependencies are also analyzed.

Java

JAR, WAR, EAR, JPI, HPI

JavaScript

package.json

Python

egg, wheel

Ruby

gem

  1. Only supported in Scanner V4.

12.4.5. Supported layer compression formats
Copy link

Container image layers are .tar file archives that might be compressed or uncompressed. StackRox Scanner and Scanner V4 support different formats as shown in the following table:

Expand
FormatStackRox Scanner SupportScanner V4 Support

No compression

Yes

Yes

bzip2

Yes

Yes

gzip

Yes

Yes

xz

Yes

No

zstd

No

Yes

12.4.6. Supported runtimes and frameworks
Copy link

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), the StackRox Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core
  • ASP.NET Core

These are not supported by Scanner V4.

12.5. Scanning virtual machines
Copy link

You can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to scan virtual machine (VM) workloads running on Red Hat OpenShift Virtualization (RHOCPV) to identify security vulnerabilities in packages installed on VMs. RHACS creates index reports of installed packages and matches them against known vulnerabilities to provide comprehensive security assessment of VM workloads.

Important

Vulnerability management in RHACS for virtual machines running on OpenShift Virtualization is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS uses the following components to collect, process, and analyze VM package data:

  • roxagent: A binary executable that runs inside VMs and scans for installed packages, creates index reports, and sends them to the relay component
  • Relay: The node-level RHACS component that receives index reports from roxagent and forwards them to Sensor
  • Sensor: The cluster-level RHACS component that collects data from relay components and sends it to Central
  • Central: The main component that stores virtual machine information and finds vulnerabilities based on the reported packages

The VM scanning process follows this data flow:

  1. The roxagent binary running inside a VM scans the filesystem for installed packages and package managers such as Red Hat Package Manager (RPM) and DNF.
  2. roxagent creates index reports based on discovered packages.
  3. roxagent sends the index reports to the host by using the virtual socket (vsock) protocol.
  4. The relay component in the Collector daemonset receives the index reports.
  5. Relay forwards the reports to Sensor for processing.
  6. Sensor aggregates VM data with Kubernetes API information.
  7. Sensor sends the combined data to Central.
  8. Central stores the VM information and requests Scanner V4 to match packages against known CVEs.
  9. Central provides access to VM vulnerability data through the RHACS portal and the API.

To use RHACS to scan VMs, you must configure a feature flag in RHACS. Additionally, you must ensure that your system meets specific hardware and software requirements. For more information about requirements, see "Resource requirements for virtual machine scanning".

12.5.1. Requirements for virtual machine scanning
Copy link

To use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to scan virtual machines (VMs), you must meet specific requirements.

Red Hat OpenShift Virtualization (RHOCPV) must meet the following requirements:

  • The RHOCPV Operator is installed in the cluster you want to scan.
  • The HyperConverged resource is patched to enable virtual socket (vsock) support.

VMs must meet the following requirements:

  • VM resources include vsock support with the setting spec.domain.devices.autoattachVSOCK: true.
  • VMs are running Red Hat Enterprise Linux (RHEL). You must register any host where the scan agent is installed with Red Hat Subscription Manager and have an active RHEL subscription.
  • VMs have internet access to download repository-to-Common Platform Enumeration (CPE) mappings.
  • DNF is installed.

For resource requirements, such as CPU and memory resource allocation, see "Resource requirements for virtual machine scanning".

12.5.2. Limitations for virtual machine scanning
Copy link

Scanning virtual machines (VMs) with Red Hat Advanced Cluster Security for Kubernetes has some limitations.

Scanning VMs has the following limitations:

  • Currently, RHACS can only scan VMs that are running RHEL.
  • RHEL must be activated with a valid subscription.
  • Only RHEL packages indexed by DNF with valid repository links can be scanned.
  • Scanning requires sudo privileges for roxagent to scan package databases and send index reports over a privileged port.
  • Only packages managed by Red Hat Package Manager (RPM) and DNF are detected.
  • Internet connectivity is required for repository-to-CPE mapping downloads.

To use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to scan virtual machines (VMs), you must configure a feature flag. You must also configure virtual socket (vsock) support in RHOCPV.

Procedure

  1. Set the VM feature flag environment variable ROX_VIRTUAL_MACHINES=true on the following components:

    • Central container in the Central pod
    • Sensor container in the Sensor pod
    • Compliance container in the Collector pod

  2. Enable vsock support in RHOCPV by adding the following annotation: 

    metadata:
 annotations:
   kubevirt.kubevirt.io/jsonpatch: |-
     [
       {
         "op":"add",
         "path":"/spec/configuration/developerConfiguration/featureGates/-",
         "value":"VSOCK"
       }
     ]
    Copy to Clipboard Toggle word wrap

    You can add the annotation by editing the CR manually. For example, you can apply a JSON patch by entering the following command: 

    $ cat << EOF | kubectl apply -f -
apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
  annotations:
    kubevirt.kubevirt.io/jsonpatch: |-
      [
        {
          "op":"add",
          "path":"/spec/configuration/developerConfiguration/featureGates/-",
          "value":"VSOCK"
        }
      ]
spec: {}
EOF
    Copy to Clipboard Toggle word wrap

Depending on your system needs, you might need to set some advanced configuration parameters to scan virtual machines.

Procedure

  • In the Collector pod in the Compliance container, you can configure the following environment variables:

    • ROX_VIRTUAL_MACHINES_VSOCK_PORT: Port for virtual socket (vsock) connections. The default value is 818.
    • ROX_VIRTUAL_MACHINES_MAX_CONCURRENT_VSOCK_CONNECTIONS: Maximum number of VMs that can send index reports concurrently. The default value is 50.
    • ROX_VIRTUAL_MACHINES_VSOCK_CONN_MAX_SIZE_KB: Maximum connection size in KB. The default value is 16384.

  • In the Central pod, you can configure the following environment variables:

    • ROX_VM_INDEX_REPORT_RATE_LIMIT: Maximum number of index reports per second that Central accepts. Each secured cluster gets an equal share (1/N) of this global capacity. The default value is 0.3.
    • ROX_VM_INDEX_REPORT_BUCKET_CAPACITY: Maximum number of requests that can be accepted in a burst before rate limiting happens. The default value is 200.

12.5.4. Deploying roxagent
Copy link

To use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to scan virtual machines (VMs), you must run roxagent, a binary executable. It runs inside VMs, scans for installed packages, and creates index reports. There are several methods to deploy roxagent, depending on factors such as if you want to use a validated pipeline or if you want to build it manually.

To deploy roxagent from a validated pipeline, you can deploy it as a systemd-managed container service by using Podman Quadlet. This deployment method uses container images from a validated build pipeline, runs roxagent periodically by using a systemd timer, and manages the container lifecycle automatically.

To install roxagent from an unvalidated pipeline, you can use one of the following methods to get the binary:

  • Download the binary from the Red Hat OpenShift mirror site.
  • Download the source file from the GitHub StackRox repository and build it by using git.

After obtaining the binary, you transfer it to the VM and run it there.

You can deploy roxagent as a systemd-managed container service by using Podman Quadlet. This deployment method uses container images from a validated build pipeline, runs roxagent periodically by using a systemd timer, and manages the container lifecycle automatically.

Prerequisites

  • You have a Red Hat Enterprise Linux (RHEL) 8, 9, or 10 virtual machine running on RHOCPV with virtual socket (vsock) enabled.
  • You have installed Podman on the VM.
  • You have deployed RHACS with VM scanning enabled by setting ROX_VIRTUAL_MACHINES=true.
  • The VM has network access to pull the RHACS main image from your container registry.

Procedure

  1. Verify that vsock is available: 

    $ ls -la /dev/vsock
    Copy to Clipboard Toggle word wrap

  2. Create the Quadlet directory: 

    $ sudo mkdir -p /etc/containers/systemd/
    Copy to Clipboard Toggle word wrap

  3. Copy the following content to /etc/systemd/system/roxagent-prep.service: 

    [Unit]
Description=Prepare RPM database for StackRox VM Agent
# Copy the RPM database to a writable location because SQLite WAL mode
# requires write access even for read-only queries

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/rm -rf /tmp/roxagent-rpm
ExecStart=/bin/cp -a /var/lib/rpm /tmp/roxagent-rpm
ExecStart=/bin/chmod -R 755 /tmp/roxagent-rpm
    Copy to Clipboard Toggle word wrap

  4. Copy the following content to /etc/systemd/system/roxagent.timer: 

    [Unit]
Description=Run StackRox VM Agent periodically

[Timer]
OnBootSec=5min
OnUnitActiveSec=3h40m
RandomizedDelaySec=40min
Persistent=true

[Install]
WantedBy=timers.target
    Copy to Clipboard Toggle word wrap

  5. Copy the following content to /etc/containers/systemd/roxagent.container: 

    [Unit]
Description=StackRox VM Agent Container
# Copy RPM database before starting (SQLite WAL requires writable access)
Requires=roxagent-prep.service
After=roxagent-prep.service

[Container]
# Replace with your StackRox main image tag
Image=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.10
Exec=--host-path /host
Network=host

# Privileged for vsock access
# Use PodmanArgs for entrypoint (RHEL 8 Quadlet doesn't support Entrypoint key)
# Run as root since image defaults to non-root user
SecurityLabelDisable=true
PodmanArgs=--privileged --user root --entrypoint /stackrox/bin/roxagent --device /dev/vsock

# Mount copied RPM database (writable for SQLite WAL) and host config files (read-only)
Volume=/tmp/roxagent-rpm:/host/var/lib/rpm:rw
Volume=/etc/yum.repos.d:/host/etc/yum.repos.d:ro
Volume=/etc/os-release:/host/etc/os-release:ro
Volume=/etc/redhat-release:/host/etc/redhat-release:ro
Volume=/etc/system-release-cpe:/host/etc/system-release-cpe:ro
# DNF cache and state for repo-to-package mapping
Volume=/var/cache/dnf:/host/var/cache/dnf:ro
Volume=/var/lib/dnf:/host/var/lib/dnf:ro

[Service]
Type=oneshot
TimeoutStartSec=300

[Install]
WantedBy=
    Copy to Clipboard Toggle word wrap

    Where:

    <rhacs-version>
    The version of your RHACS deployment, for example, 4.10.0.

  6. If SELinux is enabled, restore the SELinux contexts by entering the following commands: 

    $ sudo restorecon -Rv /etc/containers/systemd/
    Copy to Clipboard Toggle word wrap 
    $ sudo restorecon -Rv /etc/systemd/system/roxagent.timer /etc/systemd/system/roxagent-prep.service
    Copy to Clipboard Toggle word wrap

  7. Reload systemd and enable the timer by entering the following commands: 

    $ sudo systemctl daemon-reload
    Copy to Clipboard Toggle word wrap 
    $ sudo systemctl enable --now roxagent.timer
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the timer is active by entering the following command: 

    $ sudo systemctl list-timers roxagent.timer
    Copy to Clipboard Toggle word wrap

  • Optional: Run a scan immediately by entering the following command: 

    $ sudo systemctl start roxagent.service
    Copy to Clipboard Toggle word wrap

  • View the scan logs by entering the following command: 

    $ sudo journalctl -u roxagent.service -f
    Copy to Clipboard Toggle word wrap

To use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to scan virtual machines (VMs), you must run roxagent, a binary executable program. It runs inside VMs, scans for installed packages, and creates index reports. If you do not want to use Podman Quadlet to install roxagent, you can deploy it by using an unvalidated pipeline.

Prerequisites

  • You have installed DNF in the VM and you have completed at least one DNF transaction, such as dnf update or dnf install, so that the scan agent can pull all necessary metadata.
  • You have registered the VM with Red Hat Subscription Manager and you have an active RHEL subscription.

Procedure

  1. Perform one of the following steps to get roxagent:

    • Download roxagent from https://mirror.openshift.com/pub/rhacs/assets/<version>/bin/linux/roxagent. For <version>, use the RHACS version number that you are running, for example, 4.10.0.

    • Build the roxagent binary manually:

      1. Clone the stackrox repository by entering the following command: 

        $ git clone git@github.com:stackrox/stackrox.git
        Copy to Clipboard Toggle word wrap

      2. Change to the stackrox directory and enter the following command: 

        $ GOOS=linux GOARCH=amd64 go build ./compliance/virtualmachines/roxagent
        Copy to Clipboard Toggle word wrap
  2. Transfer the binary to the VM by using a method such as scp or cloud-init.

  3. Run the binary inside the VM. To perform a one-time scan, enter the following command: 

    $ sudo ./roxagent
    Copy to Clipboard Toggle word wrap

    To perform continuous monitoring, enter the following command: 

    $ sudo ./roxagent --daemon
    Copy to Clipboard Toggle word wrap

12.5.5. Troubleshooting virtual machine scanning
Copy link

If you have problems when viewing vulnerability results for VMs, you can try some common troubleshooting steps. You can try different steps depending on the type of issue you are having, for example, connectivity or performance issues. You can also make sure your system meets the recommended requirements. See "Resource requirements for virtual machine scanning".

Procedure

  • If roxagent cannot connect to the host, try these steps:

    • Verify that virtual socket (vsock) is enabled in the VM configuration.
    • Check that the relay is running on the host node.
    • Ensure that the vsock kernel modules are loaded.
    • Verify that port configuration matches between the roxagent and relay.

  • If the scan finds no packages, try these steps:

    • Verify that --host-path points to the correct filesystem location.
    • Verify that RPM and DNF databases exist and are readable by roxagent.
    • Use the --verbose flag to examine index reports.
    • Confirm that the roxagent has root privileges.

  • If vulnerability data does not appear in RHACS, try these steps:

    • Verify that the feature flag is enabled on all components.
    • Check Central logs for enrichment processing.
    • Ensure that the VM has a valid RHEL subscription.
    • Confirm repository-to-CPE mapping downloads are successful. If downloads are not successful, the "error updating mapping file" message occurs in the logs. The likely cause of an unsuccessful download is a failed internet connection.

  • If there is a network connectivity problem:

    • Verify that the VM has internet access.
    • Check the firewall rules for repository access.
    • Validate DNS resolution from within the VM.

  • If you observe performance issues, such as large memory usage, try these steps:

    • Monitor relay resource consumption and set ROX_VIRTUAL_MACHINES_MAX_CONCURRENT_VSOCK_CONNECTIONS to a lower number if needed.
    • Consider reducing scan frequency in daemon mode.

  • If you notice slow scan times, try these steps:

    • Verify that metal nodes are used for VM hosting.
    • Check network latency for repository downloads.
    • Monitor disk I/O during package database reads.

  • If you see that some VMs are not scanned for vulnerabilities, try these steps:

    • Check for a RHACS Administration Events warning that "VM index reports are being rate limited". If you see this warning, you might need to adjust the following items based on your workloads:

      • ROX_VM_INDEX_REPORT_RATE_LIMIT: For more information, see "Advanced virtual machine scanning configuration".
      • ROX_VM_INDEX_REPORT_BUCKET_CAPACITY: For more information, see "Advanced virtual machine scanning configuration".
      • Scanner V4 resources. For more information, see "Resource requirements for virtual machine scanning".
    • Check the logs of the Compliance container in the Collector pod for instances of the "Could not acquire semaphore, too many concurrent connections" message. If you see this message, you can increase the number of connections in ROX_VIRTUAL_MACHINES_MAX_CONCURRENT_VSOCK_CONNECTIONS to allow RHACS to process more VMs in parallel. You might also need to increase the Compliance container memory limit.
    • Check the logs of the Compliance container in the Collector pod for instances of the "data size exceeds the limit" message. If you see this message, you can increase the maximum vsock connection size in ROX_VIRTUAL_MACHINES_VSOCK_CONN_MAX_SIZE_KB to allow processing of larger index reports. You might also need to increase the Compliance container memory limit.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports scanning images from registry mirrors that you have configured by using one of the following OpenShift Container Platform custom resources (CRs):

  • ImageContentSourcePolicy (ICSP)
  • ImageDigestMirrorSet (IDMS)
  • ImageTagMirrorSet (ITMS)

For more information about how to configure image registry repository mirroring, see "Configuring image registry repository mirroring".

Important

To scan images from registry mirrors, you must configure delegated image scanning.

For more information about how to configure delegated image scanning, see "Accessing delegated image scanning".

12.7. Accessing delegated image scanning
Copy link

If you have isolated container image registries that are accessible from your secured clusters, you can use delegated image scanning to scan them.

Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.

For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.

The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.

12.7.2. Scanning images by using secured clusters
Copy link

To scan images by using the secured clusters instead of the Central services, you can use the delegated image scanning feature.

A new delegated scanning configuration specifies the registries from which you can delegate image scans. For images that Sensor observes, you can use the delegated registry configuration to delegate scans from no registries, all registries, or specific registries.

To enable delegation of scans by using the roxctl CLI, Jenkins plugin, or API, you must also specify a destination cluster and source registry.

Prerequisites

  • You have installed Scanner in the secured cluster to scan images.

    Note

    Enabling Scanner is supported on OpenShift Container Platform and Kubernetes secured clusters.

Procedure

  1. In the RHACS portal, click Platform Configuration Clusters.
  2. In the Clusters view header, click Delegated scanning.

  3. In the Delegated Image Scanning page, provide the following information:

    • Delegate scanning for: To choose the scope of the image delegation, select one of the following options:

      • None: The default option. This option specifies that the secured clusters do not scan any images, except for images from the integrated OpenShift image registry.
      • All registries: This option indicates that the secured clusters scan all the images.
      • Specified registries: This option specifies the images that secured clusters should scan based on the registries list.
    • Select default cluster to delegate to: From the drop-down list, select the name of the default cluster. The default cluster processes the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None if required.

    • Optional: To specify the source registry and destination cluster details, click Add registry.

      For example, specify the source registry as example.com, and select remote from the drop-down list for the destination cluster. You can add more than one source registry and destination cluster if required.

      Important

      You can select the destination cluster as None if the scan requests are not coming from the CLI and API.

  4. Click Save.

Image integrations are now synchronized between Central and Sensor, and Sensor captures pull secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.

If you are using the StackRox scanner, Scanner-slim is the lightweight version of that scanner that runs on your secured clusters instead of the cluster where Central is installed. You can install Scanner-slim by using the Operator or by using Helm. Scanner V4 does not use Scanner-slim.

12.8. Using the Operator
Copy link

The RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

For more information, see Installing RHACS on secured clusters by using the Operator.

12.8.1. Using Helm
Copy link

The secured cluster services Helm chart (secured-cluster-services) installs a Scanner-slim version on each secured cluster. In Kubernetes, the secured cluster services include Scanner-slim. On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

12.9. Verifying scanner installation
Copy link

After installation, use the portal to make sure that the scanner is installed and working.

Procedure

  • Verify that the status of the secured cluster indicates that scanner is present and healthy:

    1. In the RHACS portal, go to Platform Configuration Clusters.
    2. In the Clusters view, select a cluster to view its details.
    3. In the Health Status card, ensure that Scanner is present and is marked as Healthy.

12.10. Using image scanning
Copy link

You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl CLI, Jenkins, and API.

For more information about how to scan images by using the roxctl CLI, see Image scanning by using the roxctl CLI.

12.10.1. Setting up scanning
Copy link

Red Hat Advanced Cluster Security for Kubernetes automatically scans active images. You can configure additional settings for scanning, such as automatic scanning of inactive images and scanning of virtual images.

12.10.2. Automatic scanning of active images
Copy link

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

Note

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

12.10.3. Scanning inactive images
Copy link

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. In the RHACS portal, click Vulnerability Management Results.
  2. Click More Views Inactive images.

  3. Optional: Choose the appropriate method to view the component and advisory data associated with a CVE:

    • To view the component and advisory data associated with a CVE from the list of CVEs, complete the following steps:

      1. Click the <number> CVEs tab.

      2. In the list of CVEs, click a CVE to do any of the following tasks:

        • To view the component and advisory data associated with an image:

          1. Click the <number> Images tab.

          2. Expand the image.

            You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

        • To view the component and advisory data associated with a deployment:

          1. Click the <number> Deployments tab.

          2. Expand the deployment.

            You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

    • To view the component and advisory data associated with a CVE from the list of images, complete the following steps:

      1. Click the <number> Images tab.
      2. In the list of images, click an image.

      3. To view the component and advisory data associated with a CVE, expand the CVE.

        You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

    • To view the component and advisory data associated with a CVE from the list of deployments, complete the following steps:

      1. Click the <number> Deployments tab.
      2. In the list of deployments, click a deployment.

      3. To view the component and advisory data associated with a CVE, expand the CVE.

        You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

  4. Click Manage watched images.
  5. In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest.
  6. Click Add image to watch list.

  7. Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.

    Important

    In the RHACS portal, click Platform Configuration System Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  8. Click Close to return to the Inactive images page.

12.11. Vulnerabilities
Copy link

Red Hat Advanced Cluster Security for Kubernetes (RHACS) fetches vulnerability definitions and updates from many vulnerability feeds. These feeds are both general in nature, such as the National Vulnerability Database (NVD), or distribution-specific, such as Alpine, Debian, and Ubuntu.

For more information about viewing and addressing vulnerabilities that RHACS finds, see "Vulnerability management".

12.11.1. Fetching vulnerability definitions
Copy link

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources, and it refreshes every 3 hours. The address of the feed is https://definitions.stackrox.io.

You can change the frequency of the default query from Central to the definitions.stackrox.io feed by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable. Run the following command: 

$ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value>
Copy to Clipboard Toggle word wrap
Note

If you use Kubernetes, enter kubectl instead of oc.

This variable applies to the connection between Central and the definitions.stackrox.io feed. Both the StackRox Scanner and Scanner V4 use vulnerability data from Central that is obtained from this feed. The StackRox Scanner’s config map still has an updater.interval parameter for configuring the scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

For more information about the vulnerability sources that RHACS uses, see "Vulnerability sources" in "Red Hat Advanced Cluster Security for Kubernetes architecture".

The vulnerability management dashboard in the Red Hat Advanced Cluster Security for Kubernetes portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. RHACS shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, RHACS shows the score and lists v3 along with it. For example, 6.5 (v3).

    Note

    CVSS v3 scores are only available if you are using the StackRox Scanner version 1.3.5 and later or Scanner V4.

  • If a CVSS v3 score is not available, RHACS might show only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a vulnerability, the response might include both CVSS v3 and CVSS v2 information.

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Note

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  • To disable language-specific vulnerability scanning, run the following command: 

    $ oc -n stackrox set env deploy/scanner \
  ROX_LANGUAGE_VULNS=false
    Copy to Clipboard Toggle word wrap

    If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) lets DevSecOps engineers in your organization to identify base images that are used in the container applications that your developers build. RHACS can then provide information about vulnerabilities that exist in base image layers so that application developers can address these vulnerabilities and use trusted, secure images when building applications. Developers can also focus on fixing vulnerabilities in application layers instead of vulnerabilities in the base layers.

When you configure a list of base images, RHACS pulls information about those images from the repositories and stores it in a database. When you scan images, RHACS tries to match the container images against the images in that database. RHACS then provides information about the base image layer in the RHACS portal.

Note

You can configure RHACS to pull multiple tags for an image by using a wildcard. However, to prevent undue system resource use, RHACS only tracks information for the most recent 100 tags.

You can set up a list of base images in Red Hat Advanced Cluster Security for Kubernetes (RHACS) that are used in the applications that your DevOps users build. RHACS then uses this list to identify those base images in the images that it scans. Using this information, you can separate vulnerabilities contained in the base image layer from vulnerabilities contained in the application layers.

Prerequisites

  • To define base images, you must be logged in as a user with the ImageAdministration permission; for example, as the Admin or Analyst user.

Procedure

  1. Select Platform Configuration Base Images and click Add base image.

  2. Enter the path to the base image repository, including the repository address and the image tag, in the format <hostname>/<project-id>/<repository-name>:<tag>. You can include a pattern to filter the tag, including using * to match any sequence of nonseparator characters or ? to match any single nonseparator character. For more filtering syntax information, see the Go filepath match documentation. For example, registry.redhat.io/ubi9:9.* would add Red Hat Universal Base Image 9 images with tags starting with 9.

    Note

    To prevent undue system resource use, RHACS only tracks information for the most recent 100 tags.

  3. Click Save. The list of base images is compared against the repository and tags are updated every 4 hours.

You can use the API to set up a list of base images, add new base images, delete base images, and modify the tag pattern for a base image.

Prerequisites

  • You must be logged in as a user whose role has a permission set that includes the ImageAdministration permission; for example, the Admin and Analyst permission sets have this permission.

Procedure

  1. You can take the following actions by using the Base Image Service in the v2 API:

    • Get a list of base images: Use GetBaseImageReferences.
    • Add a new base image: Use CreateBaseImageReference.
    • Delete a base image: Use DeleteBaseImageReference.

    • Update the tag pattern for a base image: Use UpdateBaseImageTagPattern.

      For more information about schema and valid values, see the API Reference.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top