Image Vulnerabilities


Image scanning for vulnerabilities with Bridgecrew (powered by Prisma Cloud Compute) collects information about the packages and binaries in a selected container image. This enables the detection of active CVEs (Common Vulnerabilities and Exposure) before deployment. Scan results are appear in Projects in Bridgecrew Cloud.

Scanning for Vulnerabilities

Before you start a scan, make sure you have installed or acquired:

Use the [Bridgecrew CLI or Checkov] to trigger a scan of a specific Docker file as shown in the example below:

bridgecrew --docker-image ubuntu --dockerfile-path /Users/bob/workspaces/bridgecrew/Dockerfile --bc-api-key <api_key> --repo-id bob/test --branch master

Using the example above, replace the following values with your specific values:

  • </Users/bob/workspaces/bridgecrew/Dockerfile> with the path and name of the Docker file
  • <my_api_key> with your API Token
  • <bob/test> with the identity string of the repository

Reviewing Vulnerabilities in Bridgecrew

To view vulnerabilities in Docker files:

  1. Select Projects and then choose Vulnerabilities under Category.
Category FilterCategory Filter

Category Filter

  1. Navigate to the repository specified in the Bridgecrew CLI command above.

Vulnerabilities in scanned images are listed in the results window.

The results window is divided into 3 sections:

  • Vulnerability differences
  • Vulnerabilities list
  • Resource Explorer

The top part of the window shows, in Git style differences, the lines in the image where the selected CVE was found.

The bottom part of the window shows the list of CVEs that were detected in the Docker file. The vulnerability list contains:

Select a CVE , to show the Resource Explorer. The Resource Explorer contains details about the selected CVE, including an explanation and associated risk factors. Displayed Risk factors are dynamic and change based on the type of CVE selected.

Use the Suppress button to suppress the selected Docker file.
Use the Suppress button again to remove the Docker file from the suppressed list.

Risk FactorsRisk Factors

Risk Factors

The details provided for risk factors include:

  • Attack Complexity - the conditions beyond the attacker's control that must exist in order to exploit the vulnerability (such as certain system configuration settings or computational exceptions). Possible values: Low, High
  • Attack Vector - the context by which vulnerability exploitation is possible. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. Possible values: Network, Adjacent, Local, Physical.
  • Remote Execution - Vulnerability can be exploited to run arbitrary code.
  • DoS - Component is vulnerable to denial of service attacks, such as buffer overflow attacks, ICMP floods, and more.
  • Has Fix - Fix is available from the distro, vendor, or package maintainer

Did this page help you?