Container image scanning for software decomposition
Summarize
Summary of Container image scanning for software decomposition
ServiceNow ITOM Visibility offers integrated capabilities through Discovery and Service Mapping Patterns and Kubernetes Visibility Agent to scan container images and operating system packages using Aqua Trivy. This scanning provides deep visibility into container components within Kubernetes or Docker environments. By understanding what software is installed inside containers, organizations can enhance security, compliance, and operational control over container deployments.
Show less
Key Features
- Integrated scanning with Aqua Trivy: Enables automated discovery of container images, OS packages, and application records using scheduled pattern-based scans.
- Support for Kubernetes and Docker:
- Kubernetes Visibility Agent is optimized for dynamic Kubernetes workloads, supporting near real-time discovery without requiring MID Server or credential setup.
- Discovery and Service Mapping Patterns cater to self-hosted or cloud Kubernetes environments and traditional Docker containers, with flexible credential options.
- Comprehensive visibility: Discover Kubernetes clusters, namespaces, nodes, pods, services, Docker containers, images, and related metadata such as labels, tags, and account region details.
- Software Bill of Materials (SBOM) generation: Automatically create detailed SBOMs during image scanning to support compliance and regulatory requirements.
- Flexible deployment and network configuration: Options to map MID Server to private container registries and configure proxy bypasses for internal or private registries to enable scans in restricted network environments.
Use Cases and Practical Benefits
- Security vulnerability assessment: Scan base and final container images to identify vulnerabilities, OS packages, and software dependencies, helping security teams manage risks and compliance.
- Regulatory compliance and policy enforcement: Generate SBOMs to verify software components comply with industry standards and company policies such as golden image usage and licensing.
- Operational troubleshooting: Identify all Kubernetes pods or Docker containers running a specific custom-built image for defect analysis without requiring a full image scan.
- Service context and impact analysis: Use tags and service mesh information discovered during scanning to understand container service relationships and their organizational impact.
Implementation Guidance
- Use Discovery and Service Mapping Patterns for container image scanning in cloud or self-hosted Kubernetes and Docker environments, with customizable scheduling and credential options.
- Deploy Kubernetes Visibility Agent via Helm or YAML manifests for cloud-native Kubernetes environments, leveraging its near real-time discovery and seamless integration with AWS ECR registries.
- Enable and configure SBOM generation carefully to avoid duplicate files and maximize visibility into container software components.
- Leverage transformation tables to enrich CMDB data with container image and OS package details, ensuring accurate and actionable configuration management data.
By integrating container image scanning with ServiceNow ITOM Visibility, customers gain enhanced control over container deployments, improved security posture, and streamlined compliance management through automated, detailed software decomposition and discovery.
The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.
Benefits of image scanning
- It helps you identify software installed in containers for regulatory and compliance use cases.
- It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies.
- It also helps you manage licensed software running in containers.
- You can also get the service context by using tags, and service mesh to understand their impact on your organization.
Image scanning use cases with ITOM Visibility
You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.
- Use case # 1
- Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.
| Visibility methods | Method characteristics | What's discovered |
|---|---|---|
|
Discovery and Service Mapping Patterns and Aqua Trivy:
|
|
Discovered using Discovery and Service Mapping Patterns:
For more information, see:
|
Kubernetes Visibility Agent and Aqua Trivy:
|
Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time. Use Kubernetes Explorer to download SBOM. |
Discovered using Kubernetes Visibility Agent
|
- Use case #2
- A compliance officer can generate an SBOM to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.
| Visibility method | Method characteristics |
|---|---|
| Kubernetes pattern or Docker pattern | SBOM creation is part of the container scanning. |
| Kubernetes Visibility Agent | SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery. |
- Use case #3
-
An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Kubernetes pattern | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. |
|
| Kubernetes pattern with Cloud discovery | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | All the of the above and account or region details |
- Use case #4
- An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.
| Visibility method | Method characteristics | What's discovered |
|---|---|---|
| Horizontal Discovery of VM running Docker (Docker pattern) | Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. | See: Docker virtualization |
Image scanning with Discovery and Service Mapping Patterns
Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.
Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.