Overview

Image scanning for vulnerabilities with Bridgecrew (powered by Prisma Cloud Compute) collects information about the packages and binaries in a selected container image. This enables the detection of active CVEs (Common Vulnerabilities and Exposure) before deployment. Scan results appear in [Projects] (https://www.bridgecrew.cloud/projects) in Bridgecrew Cloud.
Image scans are performed:

  • Periodically on Docker files in Git-based repositories
  • On an ad hoc basis via Checkov

Scanning for Vulnerabilities

Period Scan of Docker Files in Git-based Repositories

Bridgecrew Cloud scans any Docker file in the default branch of integrated Git-based repositories.
To view vulnerabilities found, browse to the relevant repository in Projects.

Checkov-triggered Ad-Hoc Image Scans

Prerequisites
Before you start a scan, make sure you have installed or acquired:

Use the [Bridgecrew CLI or Checkov] to trigger a scan of a specific Docker file as shown in the example below:

bridgecrew --docker-image ubuntu --dockerfile-path /Users/bob/workspaces/bridgecrew/Dockerfile --bc-api-key <api_key> --repo-id bob/test --branch master

Using the example above, replace the following values with your specific values:

  • </Users/bob/workspaces/bridgecrew/Dockerfile> with the path and name of the Docker file
  • <my_api_key> with your API Token
  • <bob/test> with the identity string of the repository

Reviewing Vulnerabilities in Bridgecrew

To view vulnerabilities in Docker files:

  1. Select Projects and then choose Vulnerabilities under Category.
265

Category Filter

  1. Navigate to the repository specified in the Bridgecrew CLI command above.

Vulnerabilities in scanned images are listed in the results window.

1348

The results window is divided into 3 sections:

  • Vulnerability differences
  • Vulnerabilities list
  • Resource Explorer

The top part of the window shows, in Git style differences, the lines in the image where the selected CVE was found.

The bottom part of the window shows the list of CVEs that were detected in the Docker file. The vulnerability list contains:

Select a CVE , to show the Resource Explorer. The Resource Explorer contains details about the selected CVE, including an explanation and associated risk factors. Displayed Risk factors are dynamic and change based on the type of CVE selected.

Select Suppress to suppress the selected Docker file.
Select Suppress again to remove the Docker file from the suppressed list.

235

Risk Factors


The details provided for risk factors include:

  • Attack Complexity - the conditions beyond the attacker's control that must exist in order to exploit the vulnerability (such as certain system configuration settings or computational exceptions). Possible values: Low, High
  • Attack Vector - the context by which vulnerability exploitation is possible. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. Possible values: Network, Adjacent, Local, Physical.
  • Remote Execution - Vulnerability can be exploited to run arbitrary code.
  • DoS - Component is vulnerable to denial of service attacks, such as buffer overflow attacks, ICMP floods, and more.
  • Has Fix - Fix is available from the distro, vendor, or package maintainer