Alauda Container Security

Examining Images for Vulnerabilities

Alauda Container Security for Kubernetes enables you to analyze container images for vulnerabilities using the built-in Scanner V4. The scanner inspects image layers, identifies packages, and matches them against vulnerability databases from sources like NVD, OSV, and OS-specific feeds.

When vulnerabilities are detected, Alauda Container Security:

  • Displays them in the Vulnerability Management view
  • Ranks and highlights them for risk assessment
  • Checks them against enabled security policies

The scanner identifies installed components by inspecting specific files. If these files are missing, some vulnerabilities may not be detected. Required files include:

Component TypeRequired Files
Package managers/etc/alpine-release; /etc/lsb-release; /etc/os-release or /usr/lib/os-release; /etc/oracle-release; /etc/centos-release; /etc/redhat-release; /etc/system-release; other similar files
Language-level dependenciespackage.json (JavaScript); dist-info/egg-info (Python); MANIFEST.MF (Java JAR)
Application-level dependenciesdotnet/shared/Microsoft.AspNetCore.App/; dotnet/shared/Microsoft.NETCore.App/

TOC

Scanner V4 Overview

Scanner V4 enhances scanning for language and OS-specific components. Scanner V4 is enabled by default and is required for all vulnerability scanning scenarios.

Scanner Workflow

Workflow Steps

  1. Central requests Scanner V4 Indexer to analyze images.
  2. Indexer pulls metadata and downloads layers.
  3. Indexer produces an index report.
  4. Matcher matches images to vulnerabilities and generates reports.

Common Scanner Warning Messages

MessageDescription
Unable to retrieve the OS CVE data, only Language CVE data is availableBase OS not supported; no OS-level CVEs.
Stale OS CVE dataOS is end-of-life; data may be outdated.
Failed to get the base OS informationScanner could not determine the base OS.
Failed to retrieve metadata from the registryRegistry unreachable or authentication failed.
Image out of scope for Red Hat Vulnerability Scanner CertificationImage is too old for certification.

Supported Platforms and Formats

Supported Linux Distributions

DistributionVersion
Alpine Linuxalpine:3.2alpine:3.21, alpine:edge
Amazon Linuxamzn:2018.03, amzn:2, amzn:2023
CentOScentos:6, centos:7, centos:8
Debiandebian:11, debian:12, debian:unstable, Distroless
Oracle Linuxol:5ol:9
Photon OSphoton:1.0photon:3.0
RHELrhel:6rhel:9
SUSEsles:11sles:15, opensuse-leap:15.5, opensuse-leap:15.6
Ubuntuubuntu:14.04ubuntu:24.10
INFO

Some older Debian/Ubuntu versions are not updated by the vendor. Fedora is not supported for OS CVEs.

Supported Package Formats

Package FormatPackage Managers
apkapk
dpkgapt; dpkg
rpmdnf; microdnf; rpm; yum

Supported Programming Languages

LanguagePackage Format
GoBinaries (analyzes stdlib and, if present, go.mod dependencies)
JavaJAR; WAR; EAR; JPI; HPI
JavaScriptpackage.json
Pythonegg; wheel
Rubygem

Supported Container Image Layer Formats

FormatScanner V4
No compressionYes
bzip2Yes
gzipYes
xzNo
zstdYes

Image Scanning and Watch List

Alauda Container Security scans all active images every 4 hours. You can also enable automatic scanning of inactive images (from version 3.0.57) via the Watch setting.

Steps:

  1. In the portal, go to Vulnerability Management > Results.
  2. Click More Views > Inactive images.
  3. Click Manage watched images and add or remove images as needed.
INFO

Data for removed images is retained for the configured period in System Configuration.

Vulnerability Data Updates

Central fetches vulnerability definitions every 5 minutes from https://definitions.stackrox.io