Vanta can fetch container vulnerabilities from supported container scanning tools. For the supported tools Vanta will:
- Display container vulnerabilities on Vanta’s Vulnerabilities page
- Track SLA deadlines on vulnerabilities, and surface remediation status for use in audits
- Alert customers when new vulnerabilities are found or vulnerabilities are close to SLA
The currently supported container scanning registries + scanners are:
General Vulnerability Scanners:
Setup Instructions
AWS ECR (Amazon Web Services, Elastic Container Registry)
To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.
Additionally, turn on Scan on Push for each ECR repository.
Setup Instructions:
- For each AWS account, navigate to the IAM Policies page in the AWS console.
- Search for the
VantaAdditionalPermissions IAM policy you created during AWS credential linking.
- Click on Edit policy and click on the "JSON" tab.
- Paste the following policy into the editor (fully replacing the existing policy).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"dynamodb:ListTagsOfResource",
"ecr:ListTagsForResource",
"sqs:ListQueueTags"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"datapipeline:EvaluateExpression",
"datapipeline:QueryObjects",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
}
]
}
- Click Review policy and Save changes.
- Double-check that the
vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page.
- For each ECR repository, make sure that you've enabled vulnerability scanning by choosing the "Scan on push" option. You can do this in the portal by following the instructions from AWS here, or through the CLI here.
Within an hour of doing these, you should see ECR repositories + vulnerabilities populated on the Vulnerabilities page!
GCP GCR (Google Cloud Provider, Google Container Registry)
To enable Vanta to fetch vulnerabilities surfaced by GCP Container Registry, enable both the Container Analysis API and Container Scanning API in GCP.
- The Container Analysis API lets Vanta fetch container metadata. This API is free.
- The Container Scanning API enables vulnerability scanning on each container. This may incur additional charges from GCP.
If you’re already doing container vulnerability scanning in GCP, both should be enabled already. If not, Vanta recommends you start container scanning, but do decide whether you want to do so yourself. You can learn more about container scanning here. When you’re ready, follow the instructions below to enable for each GCP project.
Setup Instructions:
You can enable these APIs via either the online console or the gcloud terminal command.
If you’ve set up GCP such that the Vanta scanner service account is in a separate project from your container repositories, make sure to enable these APIs in both the project containing your container repositories and the project containing the Vanta service account.
Via the online console: Go to the following links and follow the instructions:
- Container analysis: https://console.cloud.google.com/flows/enableapi?apiid=containeranalysis.googleapis.com
- Container scanning: https://console.cloud.google.com/flows/enableapi?apiid=containerscanning.googleapis.com
Via Gcloud: Enter the following commands in your terminal:
gcloud services enable containerscanning.googleapis.com
gcloud services enable containeranalysis.googleapis.com
**Please note that enabling Container Scanning API will incur additional charges from GCP.**
For additional information on GCP container analysis, please refer to: https://cloud.google.com/container-analysis/docs/container-analysis
Azure Defender
Vanta’s Azure Container Scanning integration fetches data from Azure Defender for Container Registries. Azure Defender for Container Registries is a feature that automatically scans containers uploaded to Azure Container Registry for vulnerabilities.
If you already use Azure Defender for Container Registries, you don’t need to take any action - you should already see vulnerabilities from ACR repositories reflected on Vanta’s Vulnerabilities page.
However, if you’d like to start using container scanning, follow these instructions:
- Visit the Pricing and Settings page of the Azure Security Center.
- Select the subscription you’d like to enable container scanning for.
- Under “Container registries”, toggle the switch to on. Scroll up and click save.
Within an hour of enabling, ACR repositories and vulnerabilities should start being displayed on Vanta’s Vulnerabilities page.
Snyk
To link your Snyk account, please visit the Connections Page and follow the directions there.
Viewing Linked Containers and Vulnerabilities
Once you've linked AWS and/or GCP, you’ll see new tabs for “Container issues” in addition to the “Agent issues” tab on the Vulnerabilities page, and container repositories will populate on the Vulnerabilities and Inventory pages.
Viewing vulnerabilities
Vanta will fetch the vulnerabilities from the latest container image uploaded to each container repository. From the Vulnerabilities page, you may click on a repository to view more details about the vulnerabilities and Vanta-assigned SLA deadlines.
Scope
If a container repository is irrelevant, you may mark it out of scope using the scoping option from the connections page. This will also mark any vulnerabilities on that container repository as out of scope.
Alerts
You will receive an email notification regarding any new vulnerabilities or upcoming SLA deadlines.
Remediation tracking / audit evidence
Vulnerability remediation and SLA information is tracked in the history display for this task, This is where you may view if the task was ever in a failing state:
If you have any questions about container scanning, please reach out to us!
support@vanta.com
