Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 13. Examining images for vulnerabilities

With Red Hat Advanced Cluster Security for Kubernetes, you can analyze images for vulnerabilities using the RHACS Scanner V4, or you can configure an integration to use another supported scanner.

RHACS scanners analyze each image layer to find packages and match them against known vulnerabilities by comparing them with a vulnerability database populated from different sources. These sources include Red Hat Vulnerability Exchange (VEX), the National Vulnerability Database (NVD), the Open Source Vulnerabilities (OSV) database, and operating system vulnerability feeds.

Note

RHACS uses the OSV database available at OSV.dev under Apache License 2.0.

RHACS contains two scanners: Scanner V4 and the StackRox Scanner.

Scanner V4, built on Claircore, is the default scanner as of release 4.8. The StackRox Scanner, which originates from a fork of the Clair v2 open source scanner, is deprecated.

Note

When this documentation uses the term "RHACS scanner" or "Scanner", it refers to Scanner V4.

When the RHACS scanner finds any vulnerabilities, it performs the following actions:

  • Shows them in the Vulnerability Management view for detailed analysis
  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment
  • Checks them against enabled security policies

The RHACS scanner inspects the images and identifies the installed components based on the files in the images. It might fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Expand
ComponentsFiles

Package managers

  • /etc/alpine-release
  • /etc/lsb-release
  • /etc/os-release or /usr/lib/os-release
  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release
  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.
  • dist-info or egg-info for Python.
  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/
  • dotnet/shared/Microsoft.NETCore.App/

13.1. About Scanner V4
Copy link

RHACS provides its own scanner, Scanner V4, or you can configure an integration to use RHACS with another vulnerability scanner.

Built on Claircore, Scanner V4 provides scanning for language and operating system-specific image components and scanning Red Hat Enterprise Linux CoreOS (RHCOS).

Note

Beginning with release 4.6, due to changes in vulnerability sources used, Scanner V4 only considers vulnerabilities affecting Red Hat products dated back to 2014. Previously, when reading Red Hat’s OVAL data, the vulnerabilities dated back to before 2000.

13.2. Enabling Scanner V4
Copy link

Scanner V4 is enabled by default when RHACS is newly installed. However, if you have not previously enabled Scanner V4 and are upgrading from version 4.7 or earlier, you must enable it explicitly during the upgrade to use it. For more information, see the following sections.

To use Scanner V4, you can enable it after installation on the cluster where Central is installed and on secured clusters.

If Scanner V4 was not enabled during installation, you can enable it after installation.

Procedure

  1. In the cluster where Central is installed, in the console, click Operators Installed Operators and select the RHACS Operator.
  2. Click Central in the menu bar.
  3. Click the name of the cluster where Central was installed. The default value is stackrox-central-services.
  4. Click the YAML tab.

  5. Edit the YAML file as shown in the following example: 

      scannerV4:
    scannerComponent: Enabled
    Copy to Clipboard Toggle word wrap

You can enable Scanner V4 after installation.

Prerequisite

  • You set up Central and the secured cluster by using an init bundle or CRS so that they can communicate with each other.

Procedure

  1. In the secured cluster, click Operators Installed Operators and select the RHACS Operator.
  2. Click Secured Cluster in the menu bar.
  3. Click the default cluster name, stackrox-secured-cluster-services, or the name that you entered during installation.
  4. Click the YAML tab.

  5. Edit the YAML file as shown in the following example: 

      scannerV4:
    scannerComponent: AutoSense
    Copy to Clipboard Toggle word wrap

To use Scanner V4, you can enable it after installation on the cluster where Central is installed and on secured clusters.

You can enable Scanner V4 when upgrading by using Helm by enabling setting the scannerV4.disable parameter to false.

Procedure

  1. On the cluster where Central is installed, run the following command, using the instructions in "Changing configuration options after deploying the central-services Helm chart" if you need more information: 

    $ helm upgrade -n stackrox \
    stackrox-central-services rhacs/central-services \
    --reuse-values \
    -f <path_to_values_public.yaml> \
    -f <path_to_generated-values.yaml> \
    1 
    
    --set scannerV4.disable=false
    Copy to Clipboard Toggle word wrap
    1
    When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".

You can enable Scanner V4 when upgrading by using Helm.

Prerequisites

  • You set up Central and the secured cluster by using an init bundle or CRS so that they can communicate with each other.

Procedure

  1. On the secured cluster, run the following command, using the instructions in "Configuring the secured-cluster-services Helm chart with customizations" if you need more information: 

    $ helm upgrade -n stackrox \
    stackrox-central-services rhacs/secured-cluster-services \
    --reuse-values \
    -f <path_to_values_public.yaml> \
    -f <path_to_generated-values.yaml> \
    1 
    
    --set scannerV4.disable=false
    Copy to Clipboard Toggle word wrap
    1
    When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".

13.3. Scanning images
Copy link

Scanner V4 is the default scanner for RHACS. When scanning, it performs the following actions:

  • Central requests the Scanner V4 Indexer to download and index (analyze) given images.
  • Scanner V4 Indexer pulls image metadata from registries to determine the layers of the image, and downloads each previously unindexed layer.
  • Scanner V4 Indexer requests mapping files from Central that assist the indexing process. Scanner V4 Indexer produces in an index report.
  • Central requests that Scanner V4 Matcher match given images to known vulnerabilities. This process results in the final scan result: a vulnerability report. Scanner V4 Matcher requests the latest vulnerabilities from Central.
  • Scanner V4 Matcher requests the results of the image indexing, the index report, from Scanner V4 Indexer. It then uses the report to determine relevant vulnerabilities. This interaction occurs only when the image is indexed in the Central cluster. This interaction does not occur when Scanner V4 is matching vulnerabilities for images indexed in secured clusters.
  • The Indexer stores data in the Scanner V4 DB that is related to the indexing results to ensure that image layers are only downloaded and indexed once. This prevents unnecessary network traffic and other resource utilization.
  • When secured cluster scanning is enabled, Sensor requests Scanner V4 to index images. Scanner V4 Indexer requests mapping files from Sensor that assist the indexing process unless Central exists in the same namespace. In that case, Central is contacted instead.

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Expand
Table 13.1. Warning messages
MessageDescription

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

Important

If you are using a Red Hat container image, consider using a base image newer than June 2020.

13.3.2. Supported operating systems
Copy link

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions. For more information about the vulnerability databases used, see "Vulnerability sources" in "RHACS Architecture".

Expand
DistributionVersion

Alpine Linux

alpine:3.2[1],alpine:3.3, alpine:3.4, alpine:3.5, alpine:3.6, alpine:3.7, alpine:3.8, alpine:3.9, alpine:3.10, alpine:3.11, alpine:3.12, alpine:3.13, alpine:3.14, alpine:3.15, alpine:3.16, alpine:3.17, alpine:3.18, alpine:3.19, alpine:3.20, alpine:3.21[2], alpine:3.22[2], alpine:edge

Amazon Linux

amzn:2018.03, amzn:2, amzn:2023[2]

CentOS

centos:6[1], centos:7[1], centos:8[1]

Debian

debian:11, debian:12, debian:unstable[1], Distroless

The following vulnerability sources are not updated by the vendor: debian:8[1], debian:9[1], debian:10[1]

Oracle Linux

ol:5[2], ol:6[2], ol:7[2], ol:8[2], ol:9[2]

Photon OS

photon:1.0[2], photon:2.0[2], photon:3.0[2]

Red Hat Enterprise Linux (RHEL)

rhel:6[3], rhel:7[3], rhel:8[3], rhel:9, rhel:10[2]

SUSE

sles:11[2], sles:12[2], sles:15[2], opensuse-leap:15.5[2], opensuse-leap:15.6[2]

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:22.04, ubuntu:24.04, ubuntu:24.10, ubuntu:25.04[2]

The following vulnerability sources are not updated by the vendor: ubuntu:12.04[1], ubuntu:12.10[1], ubuntu:13.04[1], ubuntu:14.10[1], ubuntu:15.04[1], ubuntu::15.10[1], ubuntu::16.10[1], ubuntu:17.04[1], ubuntu:17.10[1], ubuntu:18.10[1], ubuntu:19.04[1], ubuntu:19.10[1], ubuntu:20.10[1], ubuntu:21.04[1], ubuntu:21.10[1], ubuntu:22.10[1], ubuntu:23.04[1], ubuntu:23.10[1]

  1. Only supported in the StackRox Scanner.
  2. Only supported in Scanner V4.
  3. Images older than June 2020 are not supported in Scanner V4.
Note

Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

13.3.3. Supported package formats
Copy link

Scanner can check for vulnerabilities in images that use the following package formats:

Expand
Package formatPackage managers

apk

apk

dpkg

apt, dpkg

rpm

dnf, microdnf, rpm, yum

13.3.4. Supported programming languages
Copy link

Scanner can check for vulnerabilities in dependencies for the following programming languages:

Expand
Programming languagePackage format

Go[1]

Binaries: The standard library version used to build the binary is analyzed. If the binaries are built with module support (go.mod), then the dependencies are also analyzed.

Java

JAR, WAR, EAR, JPI, HPI

JavaScript

package.json

Python

egg, wheel

Ruby

gem

  1. Only supported in Scanner V4.

13.3.5. Supported layer compression formats
Copy link

Container image layers are .tar file archives that might be compressed or uncompressed. StackRox Scanner and Scanner V4 support different formats as shown in the following table:

Expand
FormatStackrox Scanner SupportScanner V4 Support

No compression

Yes

Yes

bzip2

Yes

Yes

gzip

Yes

Yes

xz

Yes

No

zstd

No

Yes

13.3.6. Supported runtimes and frameworks
Copy link

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), the StackRox Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core
  • ASP.NET Core

These are not supported by Scanner V4.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports scanning images from registry mirrors that you have configured by using one of the following OpenShift Container Platform custom resources (CRs):

  • ImageContentSourcePolicy (ICSP)
  • ImageDigestMirrorSet (IDMS)
  • ImageTagMirrorSet (ITMS)

For more information about how to configure image registry repository mirroring, see "Configuring image registry repository mirroring".

Important

To scan images from registry mirrors, you must configure delegated image scanning.

For more information about how to configure delegated image scanning, see "Accessing delegated image scanning".

13.4. Accessing delegated image scanning
Copy link

You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.

Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.

For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.

The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.

13.4.2. Scanning images by using secured clusters
Copy link

To scan images by using the secured clusters instead of the Central services, you can use the delegated image scanning feature.

A new delegated scanning configuration specifies the registries from which you can delegate image scans. For images that Sensor observes, you can use the delegated registry configuration to delegate scans from no registries, all registries, or specific registries.

To enable delegation of scans by using the roxctl CLI, Jenkins plugin, or API, you must also specify a destination cluster and source registry.

Prerequisites

  • You have installed Scanner in the secured cluster to scan images.

    Note

    Enabling Scanner is supported on OpenShift Container Platform and Kubernetes secured clusters.

Procedure

  1. In the RHACS portal, click Platform Configuration Clusters.
  2. In the Clusters view header, click Delegated scanning.

  3. In the Delegated Image Scanning page, provide the following information:

    • Delegate scanning for: To choose the scope of the image delegation, select one of the following options:

      • None: The default option. This option specifies that the secured clusters do not scan any images, except for images from the integrated OpenShift image registry.
      • All registries: This option indicates that the secured clusters scan all the images.
      • Specified registries: This option specifies the images that secured clusters should scan based on the registries list.
    • Select default cluster to delegate to: From the drop-down list, select the name of the default cluster. The default cluster processes the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None if required.

    • Optional: To specify the source registry and destination cluster details, click Add registry.

      For example, specify the source registry as example.com, and select remote from the drop-down list for the destination cluster. You can add more than one source registry and destination cluster if required.

      Important

      You can select the destination cluster as None if the scan requests are not coming from the CLI and API.

  4. Click Save.

Image integrations are now synchronized between Central and Sensor, and Sensor captures pull secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.

13.4.3.1. Using the Operator
Copy link

RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

For more information, see Installing RHACS on secured clusters by using the Operator.

13.4.3.2. Using Helm
Copy link

Secured Cluster Services Helm chart (secured-cluster-services) installs a Scanner-slim version on each secured cluster. In Kubernetes, the secured cluster services include Scanner-slim. On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

13.4.3.3. Verifying after installation
Copy link

Procedure

  • Verify that the status of the secured cluster indicates that Scanner is present and healthy:

    1. In the RHACS portal, go to Platform Configuration Clusters.
    2. In the Clusters view, select a cluster to view its details.
    3. In the Health Status card, ensure that Scanner is present and is marked as Healthy.

13.4.3.4. Using image scanning
Copy link

You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl CLI, Jenkins, and API.

For more information about how to scan images by using the roxctl CLI, see Image scanning by using the roxctl CLI.

13.5. Setting up scanning
Copy link

You can configure settings for scanning, such as automatic scanning of active and inactive images.

13.5.1. Automatic scanning of active images
Copy link

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

Note

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

13.5.2. Scanning inactive images
Copy link

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. In the RHACS portal, click Vulnerability Management Results.
  2. Click More Views Inactive images.

  3. Optional: Choose the appropriate method to view the component and advisory data associated with a CVE:

    • To view the component and advisory data associated with a CVE from the list of CVEs, complete the following steps:

      1. Click the <number> CVEs tab.

      2. In the list of CVEs, click a CVE to do any of the following tasks:

        • To view the component and advisory data associated with an image:

          1. Click the <number> Images tab.

          2. Expand the image.

            You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

        • To view the component and advisory data associated with a deployment:

          1. Click the <number> Deployments tab.

          2. Expand the deployment.

            You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

    • To view the component and advisory data associated with a CVE from the list of images, complete the following steps:

      1. Click the <number> Images tab.
      2. In the list of images, click an image.

      3. To view the component and advisory data associated with a CVE, expand the CVE.

        You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

    • To view the component and advisory data associated with a CVE from the list of deployments, complete the following steps:

      1. Click the <number> Deployments tab.
      2. In the list of deployments, click a deployment.

      3. To view the component and advisory data associated with a CVE, expand the CVE.

        You can find the component data in the Component column, and you can find the advisory data in the Advisory column.

  4. Click Manage watched images.
  5. In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest.
  6. Click Add image to watch list.

  7. Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.

    Important

    In the RHACS portal, click Platform Configuration System Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  8. Click Close to return to the Inactive images page.

13.6. About vulnerabilities
Copy link

RHACS fetches vulnerability definitions and updates from multiple vulnerability feeds. These feeds are both general in nature, such as NVD, or distribution-specific, such as Alpine, Debian, and Ubuntu. For more information on viewing and addressing vulnerabilities that are found, see Vulnerability management.

13.6.1. Fetching vulnerability definitions
Copy link

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources, and it refreshes every 3 hours. The address of the feed is https://definitions.stackrox.io.

You can change the frequency of the default query from Central to the definitions.stackrox.io feed by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable. Run the following command: 

$ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value>
1
Copy to Clipboard Toggle word wrap
1
If you use Kubernetes, enter kubectl instead of oc.

This variable applies to the connection between Central and the definitions.stackrox.io feed. Both the StackRox Scanner and Scanner V4 use vulnerability data from Central that is obtained from this feed. The StackRox Scanner’s config map still has an updater.interval parameter for configuring the scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

For more information about the vulnerability sources that RHACS uses, see "Vulnerability sources" in "Red Hat Advanced Cluster Security for Kubernetes architecture".

The vulnerability management dashboard in the Red Hat Advanced Cluster Security for Kubernetes portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. RHACS shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, RHACS shows the score and lists v3 along with it. For example, 6.5 (v3).

    Note

    CVSS v3 scores are only available if you are using the StackRox Scanner version 1.3.5 and later or Scanner V4.

  • If a CVSS v3 score is not available, RHACS might show only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a vulnerability, the response might include both CVSS v3 and CVSS v2 information.

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure

  • To disable language-specific vulnerability scanning, run the following command: 

    $ oc -n stackrox set env deploy/scanner \
    1 
    
  ROX_LANGUAGE_VULNS=false
    2
    Copy to Clipboard Toggle word wrap
    1
    If you use Kubernetes, enter kubectl instead of oc.
    2
    If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

13.8. Additional resources
Copy link

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat