Container image scanning for software decomposition
Summarize
Summary of Container image scanning for software decomposition
ServiceNow’s ITOM Visibility applications, including Discovery and Service Mapping Patterns and Kubernetes Visibility Agent, integrate with Aqua Trivy to scan container images and operating system (OS) packages. This scanning provides detailed visibility into container components, helping organizations control container deployments, ensure compliance, and manage software licenses effectively.
Show less
Key Features
- Integration with Aqua Trivy: Enables scanning of container images and OS packages to identify installed software, dependencies, and vulnerabilities.
- Use of two ITOM Visibility apps:
- Discovery and Service Mapping Patterns: Best for self-hosted or cloud Kubernetes deployments and non-Kubernetes Docker containers, supporting both public and private image repositories.
- Kubernetes Visibility Agent: Designed for cloud native app teams, optimized for Kubernetes workloads, supports AWS ECR, and provides near real-time discovery without requiring MID Server setup.
- Scheduled Image Scanning: Patterns run scheduled scans at a rate of 10 images per minute, capturing image commands, software packages, and mapping relationships to container images.
- Software Bill of Materials (SBOM) Generation: Creates detailed lists of container image dependencies to support compliance and regulatory audits.
- Flexible Deployment Options: Supports pattern-based discovery with or without cloud credentials, and Kubernetes Visibility Agent installable via Helm Chart or YAML files.
- Proxy and MID Server Configuration: Allows mapping of MID Server to private container registries and proxy bypass configuration to enable scanning of internal or private registries.
Common Use Cases
- Security professionals: Scan base and final container images for vulnerabilities and software components, especially for specialized containers like MSSQL Server.
- Compliance officers: Generate SBOMs to verify container software complies with industry regulations.
- Engineers troubleshooting defects: Identify Kubernetes pods or Docker containers running a problematic image without requiring image scanning, using pattern-based discovery.
Practical Benefits for ServiceNow Customers
- Gain detailed visibility into container contents and software components to enforce company policies and regulatory compliance.
- Improve container security by identifying vulnerable or outdated software within containers.
- Streamline operations by integrating container image data into ServiceNow CMDB, enriching service context and dependency mapping.
- Facilitate quick identification of affected workloads during incidents by linking containers to images and Kubernetes or Docker workloads.
Next Steps
To implement container image scanning, enable Aqua Trivy integration within Discovery and Service Mapping Patterns or Kubernetes Visibility Agent. Configure MID Server mapping and proxy bypass as needed for private registries. Use the provided scanning schedules and SBOM generation features to maintain continuous visibility and compliance over containerized applications.
The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.
Benefits of image scanning
- It helps you identify software installed in containers for regulatory and compliance use cases.
- It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies.
- It also helps you manage licensed software running in containers.
- You can also get the service context by using tags, and service mesh to understand their impact on your organization.
Image scanning use cases with ITOM Visibility
You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.
- Use case # 1
- Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.
| Visibility methods | Method characteristics | What's discovered |
|---|---|---|
|
Discovery and Service Mapping Patterns and Aqua Trivy:
|
|
Discovered using Discovery and Service Mapping Patterns:
For more information, see:
|
Kubernetes Visibility Agent and Aqua Trivy:
|
Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time. Use Kubernetes Explorer to download SBOM. |
Discovered using Kubernetes Visibility Agent
|
- Use case #2
- A compliance officer can generate an SBOM to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.
| Visibility method | Method characteristics |
|---|---|
| Kubernetes pattern or Docker pattern | SBOM creation is part of the container scanning. |
| Kubernetes Visibility Agent | SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery. |
- Use case #3
-
An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Kubernetes pattern | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. |
|
| Kubernetes pattern with Cloud discovery | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | All the of the above and account or region details |
- Use case #4
- An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Horizontal Discovery of VM running Docker (Docker pattern) | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | See: Docker virtualization |
Image scanning with Discovery and Service Mapping Patterns
Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.
Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.