Container image scanning for software decomposition
Summarize
Summary of Container image scanning for software decomposition
ServiceNow ITOM Visibility integrates with Aqua Trivy to scan container images and OS packages within Kubernetes and Docker environments. This scanning enhances your control over container deployments by providing detailed visibility into container components, software dependencies, and related service context. This capability supports regulatory compliance, company policy adherence, and licensed software management across containerized workloads.
Show less
Key Features
- Integration with Aqua Trivy: Enables scanning of container images for vulnerabilities, OS packages, and software dependencies.
- Support for Kubernetes and Docker: Uses Discovery and Service Mapping Patterns for Docker and non-Kubernetes containers, and Kubernetes Visibility Agent (KVA) for Kubernetes workloads.
- Multiple discovery methods:
- Discovery and Service Mapping Patterns: Requires tokens or cloud credentials, supports scheduled scans, and discovers clusters, services, topology, containers, images, labels, tags, and software.
- Kubernetes Visibility Agent: Cloud-native deployment without credential setup or MID Server, supports near real-time discovery, and covers namespaces, nodes, pods, deployments, and container repositories.
- Software Bill of Materials (SBOM): Automatically generated during scanning to provide a detailed list of container image dependencies for compliance verification.
- Scheduling and rate limiting: Scans run at a controlled rate (e.g., 10 images per minute) to manage system load.
- Mapping and data management: Links software package information to container images (not containers) to avoid empty records, and populates both CMDB and transformation tables for data storage.
- Configuration capabilities: Allows mapping MID Servers to private container registries and configuring proxy bypasses for internal or private registry access.
Use Cases
- Security professionals: Scan base and final container images to identify vulnerabilities and software components, especially for containerized MSSQL Server.
- Compliance officers: Generate SBOMs to verify software dependencies and regulatory compliance within container images.
- Engineers troubleshooting defects:
- Find Kubernetes pods running a specific custom-built image using Discovery Patterns without requiring container scanning.
- Identify Docker containers running a specific image via horizontal discovery of VMs running Docker.
Practical Benefits for ServiceNow Customers
- Gain comprehensive visibility into container contents and deployed software to meet compliance and security standards.
- Use automated and scheduled scanning integrated within your existing ITOM Visibility framework to ensure current and accurate container data.
- Leverage real-time discovery for dynamic Kubernetes environments and pattern-based discovery for Docker containers to suit your infrastructure.
- Download SBOMs directly for audit and regulatory reporting purposes, facilitating risk management and software lifecycle tracking.
- Configure network access and MID Server mappings to integrate scanning seamlessly with private registries and internal networks.
The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.
Benefits of image scanning
- It helps you identify software installed in containers for regulatory and compliance use cases.
- It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies.
- It also helps you manage licensed software running in containers.
- You can also get the service context by using tags, and service mesh to understand their impact on your organization.
Image scanning use cases with ITOM Visibility
You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.
- Use case # 1
- Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.
| Visibility methods | Method characteristics | What's discovered |
|---|---|---|
|
Discovery and Service Mapping Patterns and Aqua Trivy:
|
|
Discovered using Discovery and Service Mapping Patterns:
For more information, see:
|
Kubernetes Visibility Agent and Aqua Trivy:
|
Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time. Use Kubernetes Explorer to download SBOM. |
Discovered using Kubernetes Visibility Agent
|
- Use case #2
- A compliance officer can generate an SBOM to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.
| Visibility method | Method characteristics |
|---|---|
| Kubernetes pattern or Docker pattern | SBOM creation is part of the container scanning. |
| Kubernetes Visibility Agent | SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery. |
- Use case #3
-
An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Kubernetes pattern | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. |
|
| Kubernetes pattern with Cloud discovery | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | All the of the above and account or region details |
- Use case #4
- An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Horizontal Discovery of VM running Docker (Docker pattern) | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | See: Docker virtualization |
Image scanning with Discovery and Service Mapping Patterns
Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.
Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.