Image scanning for vulnerabilities with Bridgecrew (powered by Prisma Cloud Compute) collects information about the packages and binaries in a selected container image. This enables the detection of active CVEs (Common Vulnerabilities and Exposure) before deployment. Scan results appear in Projects in Bridgecrew Cloud.
Image scans are performed:
- Periodically on Docker files in Git-based repositories
- On an ad hoc basis via Checkov
Scanning for Vulnerabilities
Period Scan of Docker Files in Git-based Repositories
Bridgecrew Cloud scans any Docker file in the default branch of integrated Git-based repositories.
To view vulnerabilities found, browse to the relevant repository in Projects.
Checkov-triggered Ad-Hoc Image Scans
Before you start a scan, make sure you have installed or acquired:
- Bridgecrew CLI or
checkovv2.099 or higher
dockerv20.10 or higher
- Bridgecrew API Token
Use the [Bridgecrew CLI or Checkov] to trigger a scan of a specific Docker file as shown in the example below:
bridgecrew --docker-image ubuntu --dockerfile-path /Users/bob/workspaces/bridgecrew/Dockerfile --bc-api-key <api_key> --repo-id bob/test --branch master
Using the example above, replace the following values with your specific values:
- </Users/bob/workspaces/bridgecrew/Dockerfile> with the path and name of the Docker file
- <my_api_key> with your API Token
- <bob/test> with the identity string of the repository
Reviewing Vulnerabilities in Bridgecrew
To view vulnerabilities in Docker files:
- Select Projects and then choose Vulnerabilities under Category.
- Navigate to the repository specified in the Bridgecrew CLI command above.
Vulnerabilities in scanned images are listed in the results window.
The results window is divided into 3 sections:
- Vulnerability differences
- Vulnerabilities list
- Resource Explorer
The top part of the window shows, in Git style differences, the lines in the image where the selected CVE was found.
The bottom part of the window shows the list of CVEs that were detected in the Docker file. The vulnerability list contains:
- Total count of CVEs detected
- CVE Severity (color coded)
- CVE ID (used for cross referencing the detected vulnerability)
- Package name where the CVE was detected
- Risk Factors detected
- CVSS (Common Vulnerability Scoring System)
- Publish date of the CVE
Select a CVE , to show the Resource Explorer. The Resource Explorer contains details about the selected CVE, including an explanation and associated risk factors. Displayed Risk factors are dynamic and change based on the type of CVE selected.
Select Suppress to suppress the selected Docker file.
Select Suppress again to remove the Docker file from the suppressed list.
The details provided for risk factors include:
- Attack Complexity - the conditions beyond the attacker's control that must exist in order to exploit the vulnerability (such as certain system configuration settings or computational exceptions). Possible values: Low, High
- Attack Vector - the context by which vulnerability exploitation is possible. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. Possible values: Network, Adjacent, Local, Physical.
- Remote Execution - Vulnerability can be exploited to run arbitrary code.
- DoS - Component is vulnerable to denial of service attacks, such as buffer overflow attacks, ICMP floods, and more.
- Has Fix - Fix is available from the distro, vendor, or package maintainer
Updated 10 months ago