Vulnerability Scanning
vSphere Integrated Containers uses the open source project Clair to scan images for known vulnerabilities. Management Portal administrators and DevOps administrators can set threshold values that restrict vulnerable images that exceed the threshold from being run. You can run a vulnerability scan on all images, on a per-project level, or on individual images. Once an image is uploaded into the registry, Clair checks the various layers of the image against known vulnerability databases and reports issues to the administrators.
Prerequisites
You must allow firewall access from your vSphere Integrated Containers instance to the following URLs so that Clair can sync its database.
| Item | Database URL |
|---|---|
| Ubuntu | https://launchpad.net/ubuntu-cve-tracker| |
| Red Hat Enterprise Linux | https://www.redhat.com/security| |
| Oracle | https://linux.oracle.com/oval/| |
| Debian | https://security-tracker.debian.org| |
| Alpine | https://git.alpinelinux.org| |
| National Vulnerability Database | http://static.nvd.nist.gov| |
| CVE information | https://cve.mitre.org/ |
For information about how to run scans, see the following topics: