Each Container Registry can provide a detailed detailed analysis of Common Vulnerabilities and Exposures (CVEs) that may be exploitable in your artifacts. For more information, see Enable Vulnerability Scanning.
Vulnerability scan results provide detailed information about the security of your artifacts at different levels. The following sections provide more information.
When new vulnerabilities are identified, you may want to search your entire Container Registry to see if any of the artifacts are vulnerable. To do this, you will need the Common Vulnerabilities and Exposures (CVE) number. Every published vulnerability or security issue is assigned a unique CVE number.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to search, and click on the Vulnerability Search section.
3. Enter the full CVE number of the vulnerability you want to search for.
Result: A list of artifacts known to be vulnerable to the CVE are displayed.
To ensure that your artifacts, and the software supply chain they rely on, remain secure, you will need to review the results of the vulnerability scan periodically. The first step in this review process will be to see which repositories contain vulnerabilities.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
Result: You will see a list of repositories in the registry. The VULNERABILITIES column shows you the highest severity vulnerability in the last artifact pushed to the repository.
Note: Depending on the content of your registry, there may be too many repositories to list on a single page. Remember to use the per page to set the number of repositories displayed per page and to navigate between pages using < and >.
You can review which artifacts in a specific repository are exposed to vulnerabilities. This approach will show you which artifacts have known fixes, as well as when that artifact was last pushed (that is, when updates have been made) and when they were last pulled, this often aligns with software being deployed to an environment.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
3. Select the repository that you want to review.
Result: You can now see all artifacts in the repository listed by artifact and displaying the following:
the tag used when pushing the artifact to the repository.
the VULNERABILITIES column shows you the highest severity vulnerability in the artifact at the time of the LAST SCAN.
the LAST PUSH date and time.
the LAST PULL date and time.
Note: Depending on the content of your repository, there may be too many artifacts to list on a single page. Remember to use per page to set the number of artifacts displayed per page and to navigate between pages using < and >.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
3. Select the repository that you want to review.
4. Select the artifact you want to view.
Result: You can now see a list of all known CVEs that the artifact is vulnerable to.
You can filter the list by SEVERITY.
You can filter the list to only show those vulnerabilities that are reported as FIXABLE.
When you have found a specific CVE, either by viewing vulnerability scan results for a specific artifact or by finding artifacts that are vulnerable to a specific CVE, you can see more details about the CVE by clicking on the CVE identification number. This will provide additional information about the vulnerability and may include references to third-party sites where additional information can be found.