Examining Images for Vulnerabilities
Alauda Container Security for Kubernetes enables you to analyze container images for vulnerabilities using the built-in Scanner V4. The scanner inspects image layers, identifies packages, and matches them against vulnerability databases from sources like NVD, OSV, and OS-specific feeds.
When vulnerabilities are detected, Alauda Container Security:
- Displays them in the Vulnerability Management view
- Ranks and highlights them for risk assessment
- Checks them against enabled security policies
The scanner identifies installed components by inspecting specific files. If these files are missing, some vulnerabilities may not be detected. Required files include:
| Component Type | Required Files |
|---|---|
| Package managers | /etc/alpine-release; /etc/lsb-release; /etc/os-release or /usr/lib/os-release; /etc/oracle-release; /etc/centos-release; /etc/redhat-release; /etc/system-release; other similar files |
| Language-level dependencies | package.json (JavaScript); dist-info/egg-info (Python); MANIFEST.MF (Java JAR) |
| Application-level dependencies | dotnet/shared/Microsoft.AspNetCore.App/; dotnet/shared/Microsoft.NETCore.App/ |
TOC
Scanner V4 Overview
Scanner V4 enhances scanning for language and OS-specific components. Scanner V4 is enabled by default and is required for all vulnerability scanning scenarios.
Scanner Workflow
Workflow Steps
- Central requests Scanner V4 Indexer to analyze images.
- Indexer pulls metadata and downloads layers.
- Indexer produces an index report.
- Matcher matches images to vulnerabilities and generates reports.
Common Scanner Warning Messages
| Message | Description |
|---|---|
| Unable to retrieve the OS CVE data, only Language CVE data is available | Base OS not supported; no OS-level CVEs. |
| Stale OS CVE data | OS is end-of-life; data may be outdated. |
| Failed to get the base OS information | Scanner could not determine the base OS. |
| Failed to retrieve metadata from the registry | Registry unreachable or authentication failed. |
| Image out of scope for Red Hat Vulnerability Scanner Certification | Image is too old for certification. |
Supported Platforms and Formats
Supported Linux Distributions
| Distribution | Version |
|---|---|
| Alpine Linux | alpine:3.2–alpine:3.21, alpine:edge |
| Amazon Linux | amzn:2018.03, amzn:2, amzn:2023 |
| CentOS | centos:6, centos:7, centos:8 |
| Debian | debian:11, debian:12, debian:unstable, Distroless |
| Oracle Linux | ol:5–ol:9 |
| Photon OS | photon:1.0–photon:3.0 |
| RHEL | rhel:6–rhel:9 |
| SUSE | sles:11–sles:15, opensuse-leap:15.5, opensuse-leap:15.6 |
| Ubuntu | ubuntu:14.04–ubuntu:24.10 |
Some older Debian/Ubuntu versions are not updated by the vendor. Fedora is not supported for OS CVEs.
Supported Package Formats
| Package Format | Package Managers |
|---|---|
| apk | apk |
| dpkg | apt; dpkg |
| rpm | dnf; microdnf; rpm; yum |
Supported Programming Languages
| Language | Package Format |
|---|---|
| Go | Binaries (analyzes stdlib and, if present, go.mod dependencies) |
| Java | JAR; WAR; EAR; JPI; HPI |
| JavaScript | package.json |
| Python | egg; wheel |
| Ruby | gem |
Supported Container Image Layer Formats
| Format | Scanner V4 |
|---|---|
| No compression | Yes |
| bzip2 | Yes |
| gzip | Yes |
| xz | No |
| zstd | Yes |
Image Scanning and Watch List
Alauda Container Security scans all active images every 4 hours. You can also enable automatic scanning of inactive images (from version 3.0.57) via the Watch setting.
Steps:
- In the portal, go to Vulnerability Management > Results.
- Click More Views > Inactive images.
- Click Manage watched images and add or remove images as needed.
Data for removed images is retained for the configured period in System Configuration.
Vulnerability Data Updates
Central fetches vulnerability definitions every 5 minutes from https://definitions.stackrox.io