Exploring Container Vulnerability Response

  • Release version: Australia
  • Updated March 11, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Container Vulnerability Response

    The Container Vulnerability Response application helps ServiceNow customers manage and remediate vulnerabilities in container images by importing container vulnerable items (CVITs) and applying remediation rules. It requires a separate subscription and focuses on providing visibility and control over container security risks, particularly for images running in production environments.

    Show full answer Show less

    Container Images and Lifecycle

    Containers package application source code and dependencies into binary container images, which are published to registries for deployment anywhere. The container pre-deployment lifecycle includes composing, building, and publishing the image. These images are pulled into runtime environments where they run as container instances on hosts.

    Vulnerability Scanning

    Scanning container images for vulnerabilities can occur pre- or post-deployment. Post-deployment scanning is more valuable as it:

    • Highlights risks associated with deployed applications.
    • Focuses only on production environment images.
    • Prioritizes vulnerabilities requiring immediate action.
    • Allows grouping and assignment of vulnerabilities using image metadata (e.g., repository, label).

    Key Container Components

    • Container/Image Repository: Hosts all versions of a docker image under a given repository name.
    • Docker Image: A specific version of the docker image identified by a unique ID.
    • Docker Container: A running instance of a docker image in production.

    Container Vulnerability Response Modules

    • Findings (CVITs): Vulnerabilities grouped by assignment, criticality, exploitability, and remediation status.
    • Libraries: Access to the National Vulnerability Database (NVD) and third-party vulnerability libraries. NVD integration provides basic vulnerability ID details, while third-party libraries supply detailed vulnerability information.
    • Administration: Configure assignment rules, remediation targets, vulnerability integration, and auto-closing of CVITs. Granularity of CVITs can be customized by defining key combinations beyond the default image repository, tag, and vulnerability—such as including cluster information for finer control.

    Versions and Upgrades

    Customers planning to upgrade to Unified Security Exposure Management (USEM) should choose versions starting with 30.x. Those not upgrading should select versions below 30.x. Detailed release notes, compatibility matrices, and installation guides are available to assist in the upgrade or installation process.

    The Container Vulnerability Response application imports container vulnerable items (CVITs). According to the rules, the feature enables you to remediate the container vulnerabilities. Container Vulnerability Response is available through a separate subscription.

    Container images overview

    Unlike traditional applications, containers package all the application source codes along with their dependencies into a binary file called a container image. The image is published to a registry to provide an option to run this image as an application or a container instance on any platform. The stages in a container pre-deployment life cycle are as follows:
    1. Compose the container image: The container image is composed and pointed to a source code or a dependent library.
    2. Build the container image
    3. Publish the container image: The container image file is published to a registry. Each image has its own unique ID based on the contents of the image. These images are pulled from the registry into the run-time environment in post-deployment mode. The images then run as container instances on the host in the production environment.

    Scanning container images

    A container image can be scanned for vulnerabilities either before or after deployment. If container images are scanned during the pre-deployment phase, you may get many vulnerability alerts, which may not need your immediate attention. However, scanning for vulnerabilities during the post-deployment phase provides greater benefits, such as the following:
    • Providing visibility on the risk associated with the deployed applications.
    • Providing a focused view on only the images in the production environment.
    • Identifying and prioritizing the vulnerabilities that must be acted on immediately.
    • Grouping and assignment of vulnerabilities based on the metadata of the image. For example, an image repository, an image label, and other attributes related to the container image can be used for grouping and assignment rules.
    Each container image has the following key components:
    • Container or image repository: Represents the docker image with a given repository or name. It hosts all the versions of the image.
    • Docker image: Represents a specific version of the build docker image.
    • Docker container: Represents a running instance of the docker image. Each version has a unique ID and has multiple instances of the containers running in the production environment.

    Container Vulnerability Response modules

    The Container Vulnerability Response module provides details on the following:
    Findings (Container Vulnerable Items)
    Findings (CVITs) are grouped and listed based on assignment, criticality, exploitability, and remediation status.
    Libraries
    Get access to the National Vulnerability Database (NVD) and third-party libraries. While the NVD library provides information limited to vulnerability item ID, the third-party library provides most of the details on a vulnerability item. Information in the NVD screen is populated only when the NVD integration is triggered.
    Administration
    The Administration module provides information on the vulnerable items' assignment rules, remediation target rules, and container vulnerability integrations. In addition, you can also configure the duration after which a vulnerable item should be auto closed. You can use the Configure VI Granularity section to configure the granularity of CVITs by specifying the key combinations. By default, a CVIT is created for a combination of an image repository, an image tag, and a vulnerability. You can add additional components to the key for further granularity. For example, you can create a CVIT for a combination of image repository, image tag, vulnerability, and cluster.

    Available versions

    Release version Release Notes
    If you intend to upgrade to Unified Security Exposure Management (USEM), please select a version starting with 30.x when installing or upgrading.

    Container Vulnerability Response v30.2

    Container Vulnerability Response v30.1

    		 For full details, please refer to the Knowledge Base article [KB2556844] and Installing Security Exposure Management Workspace applicationsdocumentation before proceeding.
    If you do not intend to upgrade to Unified Security Exposure Management (USEM), please select a version below 30.x when installing or upgrading.

    Container Vulnerability Response v2.1

    		 Container Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.