AWS ECR (Amazon Web Services, Elastic Container Registry)
To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.
Additionally, turn on Scan on Push for each ECR repository.
Setup Instructions:
For each AWS account, navigate to the IAM Policies page in the AWS console.
Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
Click on Edit policy and click on the"JSON" tab.
Paste the following policy inentirelye editor(fully replacing the existing policy).
Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page.
For each Eensure, ensure you've enabled vulnerability scanning by choosing the"Scan on push" option. You can do this in the portal by following the instruction from AWS here, or through the CLI.
Within an hour of doing these, you should see ECR repositories + vulnerabilities populated on the Vulnerabilities page!
GCP GCR (Google Cloud Provider, Google Container Registry)
To enable Vanta to fetch vulnerabilities surfaced by GCP Container Registry, enable both the Container Analysis API and Container Scanning API in GCP.
The Container Analysis API lets Vanta fetch container metadata. This API is free.
The Container Scanning API enables vulnerability scanning on each container. This may incur additional charges from GCP.
If you're already doing container vulnerability scanning in GCP, both should be enabled already. If not, Vanta recommends you start container scanning, but do decide whether you want to do so yourself. You can learn more about container scanning here. When you're ready, follow the instructions below to enable for each GCP project.
Setup Instructions:
You can enable these APIs via either the online console or thegcloudterminal command.
If you've set up GCP such that the Vanta scanner service account is in a separate project from your container repositories, make sure to enable these APIs in both the project containing your container repositories and the project containing the Vanta service account.
Via the online console: Go to the following links and follow the instructions:
Vanta's Azure Container Scanning integration fetches data from Azure Defender for Container Registries. Azure Defender for Container Registries is a feature that automatically scans containers uploaded to Azure Container Registry for vulnerabilities.
If you already use Azure Defender for Container Registries, you don't need to take any action - you should already see vulnerabilities from ACR repositories reflected on Vanta's Vulnerabilities page.
However, if you'd like to start using container scanning, follow these instructions:
Select the subscription you'd like to enable container scanning for.
Under"Container registries", toggle the switch to on. Scroll up and click save.
Within an hour of enabling, ACR repositories and vulnerabilities should start being displayed on Vanta's Vulnerabilities page.
Snyk
To link your Snyk account, please visit the Connections Page and follow the directions there.
Viewing Linked Containers and Vulnerabilities
Once you've linked AWS and/or GCP, you'll see new tabs forContainer Repositories on the Vulnerabilities page
Viewing vulnerabilities
Vanta will fetch the vulnerabilities from the latest container image uploaded to each container repository. You may click on a repository from the Vulnerabilities page to view more details about the vulnerabilities and Vanta-assigned SLA deadlines.
Scope
If a container repository is irrelevant, you may mark it out of scope using the scoping option from the Integrations page. This will also mark any vulnerabilities on that container repository as out of scope.
Alerts
You will receive an email notification regarding any new vulnerabilities or upcoming SLA deadlines.
Remediation tracking/audit evidence
Vulnerability remediation and SLA information are tracked in the history display for this task; this is where you may view if the task was ever in a failing state: