With the StackRox Kubernetes Security Platform you can analyze images for vulnerabilities. StackRox Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.
You need Scanner version 2.0.1 or higher to identify vulnerabilities in language-level dependencies. The StackRox Kubernetes Security Platform version 184.108.40.206 and higher includes this Scanner version.
To disable language-specific vulnerability scanning you can set the value of the following environment variable to
LANGUAGE_VULNSfor the StackRox Kubernetes Security Platform version 3.0.47 and older.
ROX_LANGUAGE_VULNSfor the StackRox Kubernetes Security Platform version 3.0.48 and newer.
If you are using the StackRox Kubernetes Security Platform version 3.0.48 or newer, you can use either one of these variables to disable language-specific vulnerability scanning.
kubectl -n stackrox set env deploy/scanner ROX_LANGUAGE_VULNS=false
oc -n stackrox set env deploy/scanner ROX_LANGUAGE_VULNS=false
When Scanner finds any vulnerabilities, it:
- shows them in the Vulnerability Management view for detailed analysis (requires the StackRox Kubernetes Security Platform version 3.0.42 or newer).
- includes them in risk ranking.
- checks them against system policies.
- highlights them in the portal for risk assessment.
Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:
For package managers:
- or similar system files.
For language-level dependencies:
MANIFEST.MFin Java Archive (JAR) for Java.
For application-level dependencies:
StackRox Central submits image scanning requests to StackRox Scanner. Upon receiving these requests, StackRox Scanner pulls image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with vulnerability lists and sends information back to StackRox Central.
You can also integrate with another vulnerability scanner.
Scanner identifies vulnerabilities that are installed by package managers, language-level, and application-level dependencies.
Beginning from the StackRox Kubernetes Security Platform version 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:
- .NET Core
- ASP.NET Core
Scanner identifies vulnerabilities in the following Linux distributions:
|Alpine Linux||3.2 to 3.12|
|Amazon Linux||2018.03, 2|
|CentOS and Red Hat Enterprise Linux (RHEL)||5, 6, 7, 8|
|Debian||9 and newer|
|Oracle Linux||5 and newer|
|Ubuntu||12.04 to 20.04 (including LTS and ESM releases)|
- The listed supported platforms are the distributions in which Scanner identifies vulnerabilities, and it’s different from the Supported platforms on which you can install the StackRox Kubernetes Security Platform.
- Scanner doesn’t support the Fedora operating system because Fedora doesn’t maintain a vulnerability database for packages within the Fedora repositories. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.
- For the StackRox Kubernetes Security Platform version 3.0.35 and newer: StackRox Scanner fetches the
vulnerability definitions every 5 minutes from a single feed. This feed combines
vulnerability definitions from upstream sources (multiple Linux distributions
and the National Vulnerability Database), and it refreshes every hour.
- For the StackRox Kubernetes Security Platform version 3.0.35 till 3.0.38, the address of the feed
- For the StackRox Kubernetes Security Platform version 3.0.39 and newer, the address of the feed
- For the StackRox Kubernetes Security Platform version 3.0.35 till 3.0.38, the address of the feed is
- For the StackRox Kubernetes Security Platform version 3.0.34 and older: StackRox Scanner fetches the vulnerability definitions every two hours from Linux distributions and the National Vulnerability Database.
In the StackRox portal, the StackRox Kubernetes Security Platform shows a single CVSS base score for each vulnerability. The StackRox Kubernetes Security Platform shows the CVSS score based on the following criteria:
- If a CVSS v3 score is available, the StackRox Kubernetes Security Platform shows the score and lists
v3along with it. For example,
- If a CVSS v3 score isn’t available, the StackRox Kubernetes Security Platform shows only the CVSS v2
score. For example,
- You can use the API to get the CVSS scores. If CVSS v3 information is available for a particular CVE, the response includes both CVSS v3 and CVSS v2 information.
- CVSS v3 scores are only available if you’re using StackRox Scanner version 1.3.5 and newer.
- For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from
the CVSS score visible in the StackRox portal. This difference is because one
RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different
score based on how a vulnerability affects Red Hat products specifically. In
such cases, the StackRox Kubernetes Security Platform:
- finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.
- breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.
The StackRox Kubernetes Security Platform periodically scans all active (deployed) images and updates the image scan results to reflect the latest vulnerability definitions.
From the StackRox Kubernetes Security Platform version 3.0.57, you can configure the Watch setting for images to enable automatic scanning of inactive (undeployed) images.
It scans all deployed images and updates the results every 4 hours. The StackRox Kubernetes Security Platform fetches the image scan results from the StackRox Scanner or other integrated image scanners that you use.
You can also use the
roxctl CLI to check the image scan results
In this section:
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.