Skip to Content
InsightcloudsecConfiguring Container Vulnerability Assessment (CVA)

Configure Container Vulnerability Assessment (CVA)

You can assess container vulnerabilities in InsightCloudSec using the Container Vulnerability Assessment (CVA) feature. CVA currently supports two assessment types:

  • Remote assessments for cloud-based containers and registries
  • Local assessments for private Open Container Initiative (OCI) registries

Prerequisites

Before you configure CVA, make sure you have the following:

  • InsightCloudSec Admin permissions (Domain or Org Admin)
  • For remote CVA users: permissions in AWS, Azure, or GCP to create roles or policies.
  • For local CVA users:
⚠️

Windows not supported

CVA does not currently support Windows images.

Task 1: Configure CVA

Remote and local assessments require different configuration steps.

Configure remote CVA

The remote CVA scanner helps assess images in cloud-based registries in your environment as well as public registries. To learn more about a typical CVA workflow, see the CVA FAQ.

AWS

InsightCloudSec supports container assessments in AWS, including the following services and registries:

  • Elastic Container Service (ECS)
  • Elastic Kubernetes Service (EKS)
  • Elastic Container Registry (ECR)
⚠️

ECR image name affects assessment

InsightCloudSec currently supports assessing images in private ECR repositories only when containers reference them using the default ECR naming convention (<account-number>.dkr.ecr.<region-name>.amazonaws.com)

To configure remote CVA for AWS, choose one of the following options:

  • Add the following permissions to the IAM policy associated with InsightCloudSec:

    "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"

  • Attach the following policy to the IAM role associated with InsightCloudSec:

    {
  "Statement": [
    {
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "AllowEcrReadOnlyAccessForVulnerabilityScanning"
    }
  ],
  "Version": "2012-10-17"
}

You’re now covered!

After you add the policy or permissions to your cloud account, InsightCloudSec automatically starts assessing relevant images, containers, and clusters.

Azure

InsightCloudSec supports container assessments in Azure, including the following services and registries:

  • Azure Kubernetes Service (AKS)
  • Azure Container Registry (ACR)

To configure CVA for Azure, add the following permissions to the role associated with InsightCloudSec:

"Microsoft.ContainerRegistry/registries/pull/read"

You’re now covered!

After you add the policy or permissions to your cloud account, InsightCloudSec automatically starts assessing relevant images, containers, and clusters.

GCP

InsightCloudSec supports container assessments in GCP, including the following services and registries:

  • Google Kubernetes Engine (GKE)
  • GCP Artifact Registry or Google Container Registry (GCR)

To configure CVA for GCP, add the following permissions to the role associated with InsightCloudSec:

"storage.buckets.get"
"artifactregistry.dockerimages.get"

You’re now covered!

After you add the policy or permissions to your cloud account, InsightCloudSec automatically starts assessing relevant images, containers, and clusters.

Third party as-a-service registries

InsightCloudSec supports all third party as-a-service registries, including Private DockerHub, JFrog, Quay, and Harbor. These registries can be assessed with no authentication, username and password authentication, or API key authentication.

InsightCloudSec supports the following unauthenticated third party as-a-service registries without requiring additional configuration:

Don’t see your preferred registry?

If you don’t see your preferred registry in the following list, you can add a registry within InsightCloudSec.

  • Alibaba Cloud
    • registry.aliyuncs.com
  • Docker
    • docker.io
    • registry.hub.docker.com
    • us-docker.pkg
  • GitHub
    • ghcr.io
  • Google
    • gke.gcr.io
    • gcr.io
    • k8s.gcr.io
    • registry.gcr.io
    • *.gcr.iok8s-artifacts-prod
  • IBM
    • icr.io
  • Linkerd
    • cr.l5d.io
  • Linux Server
    • lscr.io
  • Kubernetes
    • registry.k8s.io
  • Microsoft
    • mcr.microsoft.com
  • Quay
    • quay.io
  • Upbound
    • xpkg.upbound.io

Authenticated registries

InsightCloudSec supports assessing container images in both as-a-service and self-hosted authenticated private registries. These registries require either username and password authentication or API token authentication.

Self-hosted registry support

Adding a self-hosted registry requires InsightCloudSec to have network access to the registry. For more information, see the Manage registries section.

Troubleshooting

If you’re having trouble harvesting or assessing images and container workloads, review the Cloud VM CVA FAQ, notably the image assessments section, or contact support for assistance.

Configure local CVA

The local CVA scanner helps assess images in private OCI registries in your environment. You can deploy multiple scanners, but Rapid7 recommends one per environment. To learn more about a typical local scanner CVA workflow, see the CVA FAQ.

⚠️

Network access required

The local CVA scanner requires network access to InsightCloudSec and your container registry.

Choose one of the following deployment methods:

Kubernetes cluster (recommended)

You can deploy the local CVA scanner to a Kubernetes cluster as a workload.

Want to change how often the scanner runs?

The local CVA also supports a cron schedule environment variable (CRON_SCHEDULE) to change how often the scanner runs (default is every 2 hours).

To deploy the local CVA scanner to a Kubernetes cluster:

  1. Make sure you have an InsightCloudSec API key.

  2. Create a secret that references your InsightCloudSec API key, either as a literal value or from a file:

    kubectl create secret generic divvyapikey --from-literal=DIVVY_API_KEY=<ICS_API_KEY> -n <namespace>
 
#or
 
kubectl create secret generic divvyapikey --from-file=DIVVY_API_KEY=<path/to/file.txt> -n <namespace>

  3. Create a deployment file and replace <namespace>, <insightcloudsec-url>, and <local-cva-scanner-image-id> with the proper values. Ask your Cybersecurity Advisor for assistance with this if needed. For example:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: scanner-deployment
  namespace: <namespace>
  labels:
    app: scanner-pod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: scanner-pod
  template:
    metadata:
      labels:
        app: scanner-pod
    spec:
      containers:
      - name: scanner-pod
        image: <local-cva-scanner-image-id>
        env:
        - name: DIVVY_URL
          value: "https://<insightcloudsec-url>"
        volumeMounts:
        - name: divvy-api-secret
          mountPath: /etc/secrets
          readOnly: true
      volumes:
      - name: divvy-api-secret
        secret:
          secretName: divvyapikey
          items:
          - key: DIVVY_API_KEY
            path: DIVVY_API_KEY

  4. Deploy the workload:

    kubectl apply -f <deployment-filename>.yaml

Docker

You can also deploy the local CVA scanner as a Docker container on any available compute resource.

Want to change how often the scanner runs?

The local CVA also supports a cron schedule environment variable (CRON_SCHEDULE) to change how often the scanner runs (default is every 2 hours).

To deploy the local CVA scanner using Docker:

  1. Make sure you have an InsightCloudSec API key. Rapid7 recommends exporting your API key as a local environment variable.

  2. Run the following command, replacing <insightcloudsec-url> and <local-cva-scanner-image-id> with the proper value. Ask your Cybersecurity Advisor for assistance with this if needed. For example:

    docker run -d \
  -e DIVVY_URL="<insightcloudsec-url>" \
  -e DIVVY_API_KEY="$DIVVY_API_KEY" \
  <local-cva-scanner-image-id>

Task 2: Turn on CVA

Before InsightCloudSec can regularly assess containers and images for vulnerabilities, you need to turn on CVA. The required configuration is available on the Vulnerability Settings page, which you can access from the Vulnerabilities page.

To turn on container assessments:

⚠️

Settings are per InsightCloudSec Organization

Vulnerability Settings are specific to the InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

  1. Log in to InsightCloudSec and navigate to Vulnerabilities.
  2. Click Settings.
  3. Select the Container Assessment tab.
  4. Turn on the Enable Container Vulnerability Assessment toggle. The list of registries appears.

Manage registries

For local registries and registries not listed in the remote CVA configuration section, you must manually add the registry and configure authentication (if needed). You can edit, toggle on or off, or delete registries anytime from the Action menu.

To add a registry:

  1. Go to Vulnerability Settings > Container Assessment.
  2. Click + Add Registry.
  3. Provide a name, base URL, and (optionally) a description for the registry. The base URL supports glob patterns (for example, *.base-url.com/path/to/resource/*).
  4. Select Local Scan if the registry is local.
  5. Select the authentication type:
    • Unauthenticated
      1. Click Add Registry.
    • Authenticated
      1. Choose Token or Username and Password.
        • For Token, enter the token.
        • For Username and Password, enter both credentials.
  6. Click Add Registry.

Some registries are turned on by default

As-a-service registries and self-hosted registries with open network access are turned on by default, so containers are assessed as soon as possible. If your self-hosted registry is not internet-accessible, contact your Cybersecurity Advisor to get your account’s unique InsightCloudSec egress IP. Use this IP when configuring ingress policies to allow access to your registry.

To edit a registry:

  1. Go to Vulnerability Settings > Container Assessment.
  2. For the registry you want to update, click the Action menu ().
  3. Click Edit.
  4. Update the registry details as needed.
  5. Click Update Registry.

Using Cloud VM

Once configuration is complete, InsightCloudSec automatically assesses images and containers. Cloud VM is available from the main navigation under Security > Vulnerabilities. To learn more, see Reviewing and Managing Vulnerabilities.