Manage vulnerabilities

Learn how to identify and prioritize vulnerabilities for remediation.

Security vulnerabilities in your environment may allow attackers to gain unauthorized access or perform unauthorized actions. Therefore, managing vulnerabilities is a critical step in protecting your environment. It involves identifying, classifying, reporting, prioritizing, remediating, and mitigating security vulnerabilities.

The StackRox Kubernetes Security Platform enables you to identify and prioritize vulnerabilities for quick remediation. The Vulnerability Management view displays information you can act on, in multiple widgets. For example, you can identify the riskiest deployments in your infrastructure from the Top Risky Deployments widget.

Vulnerability Management view

To open the Vulnerability Management view, select Vulnerability Management from the left-hand navigation menu.

Vulnerability Management view
Vulnerability Management view

The Vulnerability Management view presents information by using various user interface (UI) components, including widgets, headers, views, panels, tabs, and sidebar. Using all these components gives you a complete view of the vulnerabilities and how they relate to other entities, for example, deployments, images, and components.

Dashboard walkthrough

Use the following instructions to understand various UI components and their usage:

  1. Select Vulnerability Management from the left-hand navigation menu to open the Vulnerability Management view. The Vulnerability Management view presents information in multiple interactive widgets.
  2. Select View All for the Top Risky Deployments by CVE Count and CVSS score widget to open the Deployments view. This view lists detailed information about all deployments in your infrastructure. The Deployments view header includes options to export and switch between different entity views. You can also filter the list of deployments. See the Use local page filtering topic for more information.
  3. On the Deployments view, select a deployment row from the list to open the Deployment details panel. The Deployment details panel includes deployment Summary and Findings sections, and the Related entities sidebar.
    • The Summary section shows detailed information about the deployment in multiple interactive widgets.
    • The Findings section shows failing policies and fixable CVEs for the deployment.
    • The Related entities sidebar shows the number of related entities under Matches and Contains sections. For deployment details, it shows the number of policies, images, components, and CVEs for the selected deployment.
  4. Under the Deployment Findings section, select the Fixable CVEs tab to view the list of all the fixable CVEs for the selected deployment.
  5. Select one CVE from the fixable CVEs list to view the CVE Summary. CVE summary opens in the same panel.
  6. Select Components in the Related entities sidebar to view a list of components affected by the selected CVE.
  7. Notice the panel header; it shows a list of all panels you viewed as breadcrumbs. You can use the Back icon to go back to the previous panel. Select the Deployment name from the panel header breadcrumbs to open the Deployment details panel.
  8. Select the Open view icon in the panel header (near the close panel icon) to open the Deployment details view. You can then select different tabs to view information about Images, Components, Policies, and CVEs for the selected deployment.

Other views

The Vulnerability Management view also includes multiple other views that all provide information in the context of vulnerabilities. The available views are:

  • Clusters
  • Namespaces
  • Deployments
  • Images
  • Components
  • CVEs
  • Policies

All these views show a list of items for the selected entity type. You can select the column heading to sort the items and also use local page filtering.

To switch between different views, for example,

  • to switch to the Clusters view, from the Vulnerability Management view:

    1. Select Application & Infrastructure > Clusters.
  • to switch to the Clusters view, from a different view:

    1. Select All Entities > Clusters.

Identify top risky objects

Use the Vulnerability Management view for identifying the top risky objects in your environment. The Top Risky widget displays information about the top risky images, deployments, clusters, and namespaces in your environment. The risk is determined based on the number of vulnerabilities and their CVSS scores.

  1. Select the Top Risky widget header to choose between riskiest images, deployments, clusters, and namespaces.

    The small circles on the chart represent the chosen object (image, deployment, cluster, namespace). Move your mouse over the circles to see an overview of the object they represent. And select a circle to view detailed information about the selected object, its related entities, and the connections between them.

    For example, if you are viewing Top Risky Deployments by CVE Count and CVSS score, each circle on the chart represents a deployment.

    • When you move your mouse over a deployment, you see an overview of the deployment, which includes deployment name, name of the cluster and namespace, severity, risk priority, CVSS, and CVE count (including fixable).
    • When you select a deployment, the Deployment view opens for the selected deployment. The Deployment view shows in-depth details of the deployment and includes information about policy violations, common vulnerabilities, CVEs, and riskiest images for that deployment.
  2. Select View All on the widget header to view all objects of the chosen type. For example, if you chose Top Risky Deployments by CVE Count and CVSS score, you can select View All to view detailed information about all deployments in your infrastructure.

Identify top riskiest images and components

Similar to the Top Risky widget, the Top Riskiest widget lists the names of the top riskiest images and components. This widget also includes the total number of CVEs and the number of fixable CVEs in the listed images.

  1. Select the Top Riskiest Images widget header to choose between the riskiest images and components. If you are viewing Top Riskiest Images:

    • When you move your mouse over an image in the list, you see an overview of the image, which includes image name, scan time, and the number of CVEs along with severity (critical, high, medium, and low).
    • When you select an image, the Image view opens for the selected image. The Image view shows in-depth details of the image and includes information about CVEs by CVSS score, top riskiest components, fixable CVEs, and Dockerfile for the image.
  2. Select View All on the widget header to view all objects of the chosen type. For example, if you chose Top Riskiest Components, you can select View All to view detailed information about all components in your infrastructure.

View Dockerfile for an image

Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.

On the Vulnerability Management view:

  1. Select an image from the Top Riskiest Images widget.
  2. In the Image details view, select the Dockerfile tab under the Image Findings section.

The Dockerfile tab shows information about:

  • all the layers in the Dockerfile,
  • the instructions and their value for each layer,
  • the components included in each layer, and
  • the number of CVEs in components for each layer.

When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component. See Dockerfile panel for more details about the information visible under different columns.

Dockerfile details
Dockerfile details

View frequently violated policies

Use the Frequently Violated Policies widget on the Vulnerability Management view to identify the most frequently violated policies in your clusters.

  1. Move your mouse over the policies listed in the Frequently Violated Policies widget to see an overview of the policy. The overview includes policy name, policy category, policy description, and date and time when the policy was last violated.
  2. Select View All on the widget header to open the Policies view, which lists all policies in your infrastructure. It includes information about policy description, policy status, last updated date and time, latest violation date and time, severity, deployments, policy lifecycle, and enforcement.
  3. In the Policies view, select a policy to view additional details about a specific policy, including policy scope, excluded images and deployment for the policy, and list of all deployments where this policy is failing. This information appears in the Policy details panel on the right.
  4. In the Policy details panel, select a deployment under the Policy Findings section. Deployment details open in the same panel for the selected deployment. Violation comments and tags appear under the Deployment Findings section.

Comments and tags

You can use Tags and Comments to specify what’s happening with violations to keep your team up to date.

  • You need the StackRox Kubernetes Security Platform version 3.0.42 or newer to add and view Tags and Comments. To upgrade from an older version, see the Upgrade StackRox section.

  • You can edit and delete your own comments.

  • To delete comments from other users, you need a role with write permission for the AllComments resource.

  • To add and remove comments or tags, you need a role with write permission for the resource you are modifying. For example, to add comments on violations, your role must have write permission for the Alert resource.

    See Manage role based access control to know more about roles and permissions.

Comments

Comments allow you to add text notes to violations, so that everyone in the team can check what’s happening with a violation.

To add a new comment:

  1. Select New in the Violation Comments section header.
  2. Enter your comment in the comment editor. You can also add links in the comment editor. These links open in a new tab when someone clicks on the link on a comment.
  3. Select Save.

All comments are visible under the Violation Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.

Tags

You can use custom Tags to categorize your violations. Then you can filter the Violations view to show violations for selected tags (Tag attribute). See the Use local page filtering topic for more information about filtering.

To add tags:

  1. Select the drop-down in the Violation Tags section. Existing tags appear as a list (up to 10).
  2. Select an existing tag or enter a new tag and press Enter. As you enter your query, the StackRox Kubernetes Security Platform automatically displays relevant suggestions for the matching existing tags.

You can add more than one tag for a violation. All tags are visible under the Violation Tags section and you can remove tags by selecting Remove icon (✕) for a specific tag.

View recently detected vulnerabilities

The Recently Detected Vulnerabilities widget on the Vulnerability Management view shows a list of recently discovered vulnerabilities in your scanned images, based on the scan time and CVSS score. It also includes information about the number of images affected by the CVE and its impact (percentage) on your environment.

  • When you move your mouse over a CVE in the list, you see an overview of the CVE, which includes scan time, CVSS score, description, impact, and whether it’s scored by using CVSS v2 or v3.
  • When you select a CVE, the CVE details view opens for the selected CVE. The CVE details view shows in-depth details of the CVE and the components, images, and deployments in which the selected CVE appears.
  • Select View All on the Recently Detected Vulnerabilities widget header to view a list of all the CVEs in your infrastructure. You can also filter the list of CVEs. See the Use local page filtering topic for more information.

View the most common vulnerabilities

The Most Common Vulnerabilities widget on the Vulnerability Management view shows a list of vulnerabilities that affect the largest number of deployments and images arranged by their CVSS score.

  • When you move your mouse over a CVE in the list, you see an overview of the CVE which includes, scan time, CVSS score, description, impact, and whether it’s scored by using CVSS v2 or v3.
  • When you select a CVE, the CVE details view opens for the selected CVE. The CVE details view shows in-depth details of the CVE and the components, images, and deployments it appears in.
  • Select View All on the Most Common Vulnerabilities widget header to view a list of all the CVEs in your infrastructure. You can also filter the list of CVEs. See the Use local page filtering topic for more information. To export the CVEs as a CSV file, select Export > Download CVES as CSV.

Identify deployments with most severe policy violations

The Deployments with most severe policy violations widget on the Vulnerability Management view shows a list of deployments and severity of vulnerabilities affecting that deployment.

  • When you move your mouse over a deployment in the list, you see an overview of the deployment, which includes deployment name, the name of the cluster and namespace in which the deployment exists, and the number of failing policies and their severities.
  • When you select a deployment, the Deployment view opens for the selected deployment. The Deployment view shows in-depth details of the deployment and includes information about policy violations, common vulnerabilities, CVEs, and riskiest images for that deployment.
  • Select View All on the Most Common Vulnerabilities widget header to view a list of all the CVEs in your infrastructure. You can also filter the list of CVEs. See the Use local page filtering topic for more information. To export the CVEs as a CSV file, select Export > Download CVES as CSV.

Find clusters with most Kubernetes and Istio vulnerabilities

Use the Vulnerability Management view for identifying the clusters with most Kubernetes and Istio vulnerabilities in your environment. The Clusters with most K8S & Istio Vulnerabilities widget shows a list of clusters, ranked by the number of Kubernetes and Istio vulnerabilities in each cluster. The cluster on top of the list is the cluster with the highest number of vulnerabilities.

  1. Select one of the clusters from the list to view details about the cluster. The Cluster view includes:
    • Cluster Details section, which shows cluster details and metadata, top risky objects (deployments, namespaces, and images), recently detected vulnerabilities, riskiest images, and deployments with most severe policy violations.
    • Cluster Findings section, which includes a list of failing policies and list of fixable CVEs.
    • Related Entities section, which shows the number of namespaces, deployments, policies, images, components, and CVEs the cluster contains. You can select these entities to view more details.
  2. Select View All on the widget header to view the list of all clusters.

Create policies to block specific CVE’s

You can create new policies or add specific CVEs to an existing policy from the Vulnerability Management view.

  1. Select CVEs from the Vulnerability Management view header.

  2. Select the check boxes (leftmost column) for one or more CVEs and then select Add selected CVEs to Policy (Add icon). Or, move the mouse over a CVE in the list, and select the Add icon on the right side.

    add to policy

  3. For Policy Name,

    • to add the CVE to an existing policy, select an existing policy from the drop-down list box.
    • to create a new policy, enter the name for the new policy, and select Create policy name.
  4. Select a value for Severity, either Critical, High, Medium, or Low.

  5. Choose the Lifecycle Stage to which your policy is applicable, from Build, or Deploy. You can also select both lifecycle stages.

  6. Enter details about the policy in the Description box.

  7. Turn off the Enable Policy toggle if you want to create the policy but enable it later. The Enable Policy toggle is on by default.

  8. Verify the listed CVEs which are included in this policy.

  9. Select Save Policy.

Snooze and unsnooze CVEs

If you determine that certain CVEs doesn’t relate to your infrastructure for the moment, you can snooze those CVEs. Later, when the CVEs are relevant, you can unsnooze those CVEs. You can also snooze CVEs for a certain amount of time, such as a day, a week, two weeks, a month, or indefinitely (until you unsnooze).

When you snooze a CVE, the StackRox Kubernetes Security Platform stops showing that CVE in widgets and other views and ignores its impact on your environment. If the snoozed CVE is part of a policy and if all the CVEs in that policy are snoozed, the policy won’t generate a violation. When you unsnooze or the specified time lapses, the CVEs start showing up again as usual, and the policy violations resume.

Snooze CVEs

To snooze a CVE:

  1. From the Vulnerability Management view header, select CVEs.

  2. Select the check boxes (leftmost column) for one or more CVEs and then select Snooze CVE (Bell icon). Or, move the mouse over a CVE in the list and select the Bell icon on the right side.

  3. Select the time such as a day, a week, two weeks, a month, or indefinitely (until you unsnooze).

    snooze cve

View snoozed CVEs

To view snoozed CVEs:

  1. From the Vulnerability Management view header, select CVEs.
  2. On the CVEs view, select the View Snoozed CVEs icon on the right side of the filter bar.

Unsnooze CVEs

To unsnooze CVEs:

  1. Open the list of snoozed CVEs.
  2. Select the check boxes (leftmost column) for one or more CVEs and then select Unsnooze CVE (Bell icon). Or, move the mouse over a CVE in the list, and select the Bell icon on the right side.

Identify vulnerabilities in nodes

You can use the Vulnerability Management view to identify vulnerabilities in your nodes. The identified vulnerabilities include vulnerabilities in:

  • core Kubernetes components.
  • container runtimes (Docker, CRI-O, runC, and containerd).
  1. You need the StackRox Kubernetes Security Platform version 3.0.56 or newer to view vulnerabilities in nodes.
  2. The StackRox Kubernetes Security Platform can identify vulnerabilities in the following Linux kernels:
    • Amazon Linux 2
    • CentOS
    • Debian
    • Garden Linux (Debian 11)
    • Red Hat Enterprise Linux
    • Ubuntu (AWS, Azure, GCP, and GKE specific versions)
  3. We don’t support identifying vulnerabilities in nodes on OpenShift.

To view vulnerabilities in your nodes:

  1. Select Nodes on the Vulnerability Management view header to view a list of all the CVEs affecting your nodes.

  2. Select a node from the list to view details of all CVEs affecting that node.

    • When you select a node, the Node details panel opens for the selected node. The Node view shows in-depth details of the node and includes information about CVEs by CVSS score and fixable CVEs for that node.
    • Select View All on the CVEs by CVSS score widget header to view a list of all the CVEs in the selected node. You can also filter the list of CVEs. See the Use local page filtering topic for more information.
    • To export the fixable CVEs as a CSV file, select Export as CSV under the Node Findings section.

Identify vulnerabilities in nodes is enabled by default, to disable it:

  1. Navigate to Platform Configuration > Integrations.
  2. Under Image Integrations, select StackRox Scanner.
  3. From the list of scanners, select StackRox Scanner to view its details.
  4. Remove the Node Scanner option from Types.
  5. Select Save.

Scan inactive images

The StackRox Kubernetes Security Platform scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions. For more details, see Re-scanning images.

You can also configure the StackRox Kubernetes Security Platform to scan inactive (undeployed) images automatically.

You need the StackRox Kubernetes Security Platform version 3.0.57 or newer to scan inactive images.

To scan inactive images:

  1. Select Images on the Vulnerability Management view header to view a list of all the images.
  2. On the Images view header, select Watch Images.
  3. In the Manage Inactive Images dialog, enter the inactive image’s name (and not the image id) for which you want to enable scanning.
  4. Select Add Image. The StackRox Kubernetes Security Platform then scans the image and shows the error or success message.
  5. Select Return to Image list to view the Images view.

Common tasks

This section lists some common tasks you can perform from the Vulnerability Management view.

Find critical CVEs impacting your infrastructure

  1. Select CVEs on the Vulnerability Management view header.
  2. In the CVEs view, select the Env Impact column header to arrange the CVEs in descending order (highest first) based on the environment impact.

Find the most vulnerable image Components

  1. From the Vulnerability Management view header, select Application & Infrastructure > Components.
  2. In the Components view, select the CVEs column header to arrange the components in descending order (highest first) based on the CVEs count.

Identify which layer of the container image introduces vulnerabilities

  1. Follow the instructions in the View Dockerfile for an image section.
  2. In the Dockerfile tab under the Image Findings section, select the expand (▶) icon to see a summary of image components.
  3. Select the expand (▶) icon for specific components to get more details about the CVEs affecting the selected component.

View details only for fixable CVEs

  1. From the Vulnerability Management view header, select Filter CVEs > Fixable.

Identify operating system of the base image

  1. From the Vulnerability Management view header, select Images.
  2. View the base operating system (OS) and OS version for all images under the Image OS column. You can select the column heading to sort the items and also use local page filtering.
  3. Select an image to view its details. The base operating system is also available under the Image Summary > Details and Metadata section.
  • The base operating system name is only available if you are using the StackRox Kubernetes Security Platform version 3.0.47 or newer.
  • The StackRox Kubernetes Security Platform lists the Image OS as unknown when either:
    • the operating system information isn’t available, or
    • if the image scanner in use doesn’t provide this information. Docker Trusted Registry, Google Container Registry, and Anchore don’t provide this information.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.