Vanta can fetch container vulnerabilities from supported container scanning tools. Fordevicessupported tools Vanta will:

  • Display container vulnerabilities on Vanta's Vulnerabilities page
  • Track SLA deadlines on vulnerabilities, and surface remediation status for use in audits
  • Alert customers when new vulnerabilities are found or vulnerabilities are close to SLA

The currently supported container scanning registries + scanners are:

General Vulnerability Scanners:



AWS ECR (Amazon Web Services, Elastic Container Registry)

  • To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.
     

    Additionally, turn on Scan on Push for each ECR repository.

     

 

Setup Instructions:
  1. For each AWS account, navigate to the IAM Policies page in the AWS console.
  2. Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
  3. Click on Edit policy and click on the "JSON" tab.
  4. Paste the following policy inentirelye editor (fully replacing the existing policy).
{
"Version": "2012-10-17",
"Statement": [
 {
     "Effect": "Allow",
     "Action": [
         "ecr:DescribeImageScanFindings",
          "ecr:DescribeImages",
          "dynamodb:ListTagsOfResource",
          "ecr:ListTagsForResource",
          "sqs:ListQueueTags"
     ],
     "Resource": "*"
 },
 {
     "Effect": "Deny",
     "Action": [
         "datapipeline:EvaluateExpression",
         "datapipeline:QueryObjects",
         "rds:DownloadDBLogFilePortion"
     ],
     "Resource": "*"
 }
]
}
  1. Click Review policy and Save changes.
  2. Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page.
  3. For each Eensure, ensure you've enabled vulnerability scanning by choosing the "Scan on push" option. You can do this in the portal by following the instruction from AWS here, or through the CLI.
Within an hour of doing these, you should see ECR repositories + vulnerabilities populated on the Vulnerabilities page!
 
 
GCP GCR (Google Cloud Provider, Google Container Registry)

To enable Vanta to fetch vulnerabilities surfaced by GCP Container Registry, enable both the Container Analysis API and Container Scanning API in GCP.
  • The Container Analysis API lets Vanta fetch container metadata. This API is free.
  • The Container Scanning API enables vulnerability scanning on each container. This may incur additional charges from GCP.
 
If you're already doing container vulnerability scanning in GCP, both should be enabled already. If not, Vanta recommends you start container scanning, but do decide whether you want to do so yourself. You can learn more about container scanning here. When you're ready, follow the instructions below to enable for each GCP project.
 
Setup Instructions:
 
  • You can enable these APIs via either the online console or the gcloud terminal command.
  • If you've set up GCP such that the Vanta scanner service account is in a separate project from your container repositories, make sure to enable these APIs in both the project containing your container repositories and the project containing the Vanta service account. 
 
Via the online console: Go to the following links and follow the instructions:
  1. Container analysis: https://console.cloud.google.com/flows/enableapi?apiid=containeranalysis.googleapis.com
  2. Container scanning: https://console.cloud.google.com/flows/enableapi?apiid=containerscanning.googleapis.com
Via Gcloud: Enter the following commands in your terminal:
gcloud services enable containerscanning.googleapis.com
gcloud services enable containeranalysis.googleapis.com

Please note that enabling
Container Scanning API will incur additional charges from GCP.
 
For additional information on GCP container analysis, please refer to: https://cloud.google.com/container-analysis/docs/container-analysis
 

Azure Defender

  • Vanta's Azure Container Scanning integration fetches data from Azure Defender for Container Registries. Azure Defender for Container Registries is a feature that automatically scans containers uploaded to Azure Container Registry for vulnerabilities.
 
If you already use Azure Defender for Container Registries, you don't need to take any action - you should already see vulnerabilities from ACR repositories reflected on Vanta's Vulnerabilities page.
 
However, if you'd like to start using container scanning, follow these instructions:
  1. Visit the Pricing and Settings page of the Azure Security Center.
  2. Select the subscription you'd like to enable container scanning for.
  3. Under "Container registries", toggle the switch to on. Scroll up and click save.
 
Within an hour of enabling, ACR repositories and vulnerabilities should start being displayed on Vanta's Vulnerabilities page.
 

Snyk

  • To link your Snyk account, please visit the Connections Page and follow the directions there.

 

Screen_Shot_2021-03-08_at_3.25.17_PM.png

 

Viewing Linked Containers and Vulnerabilities

  • Once you've linked AWS and/or GCP, you'll see new tabs for Container Repositories on the Vulnerabilities page

Screen_Shot_2022-09-13_at_4.09.06_PM.png

 


Viewing vulnerabilities 

  • Vanta will fetch the vulnerabilities from the latest container image uploaded to each container repository. From the Vulnerabilities page, you may click on a repository to view more details about the vulnerabilities and Vanta-assigned SLA deadlines.

Scope 

  • If a container repository is irrelevant, you may mark it out of scope using the scoping option from the Integrations page. This will also mark any vulnerabilities on that container repository as out of scope.

    configure_scope_connections_page.png

Alerts

  • You will receive an email notification regarding any new vulnerabilities or upcoming SLA deadlines.

Remediation tracking / audit evidence

  • Vulnerability remediation and SLA information is tracked in the history display for this task, This is where you may view if the task was ever in a failing state:

vulnerabilities_identified_container_task.png