Vanta can fetch container vulnerabilities from supported container scanning tools. For supported tools, Vanta will:
- Display container vulnerabilities on Vanta's Vulnerabilities page
- Track SLA deadlines on vulnerabilities and surface remediation status for use in audits
- Alert customers when new vulnerabilities are found or vulnerabilities are close to SLA
The currently supported container scanning registries + scanners are:
General Vulnerability Scanners:
AWS Inspector (for EC2 & ECR) and ECR Scanning
- The permissions used for Vanta to obtain the scan details already exists inside the AWS managed SecurityAudit policy that is attached to the role that is used for the integration.
- If Inspector EC2 scans are not showing in Vanta, please see the following article - Troubleshooting Missing EC2 Instance Inspector Scans
- Vanta will pull in ECR scans that are available in Inspector or on the container itself directly. If you see these scans in AWS but they aren't showing in Vanta, please reach out to support@vanta.com!
GCP GCR (Google Cloud Provider, Google Container Registry)
To enable Vanta to fetch vulnerabilities surfaced by GCP Container Registry, enable both the Container Analysis API and Container Scanning API in GCP.
- The Container Analysis API lets Vanta fetch container metadata. This API is free.
- The Container Scanning API enables vulnerability scanning on each container. This may incur additional charges from GCP.
If you're already doing container vulnerability scanning in GCP, both should be enabled already. If not, Vanta recommends you start container scanning, but do decide whether you want to do so yourself. You can learn more about container scanning here. When you're ready, follow the instructions below to enable for each GCP project.
Setup Instructions:
- You can enable these APIs via either the online console or the
gcloud
terminal command.
- If you've set up GCP such that the Vanta scanner service account is in a separate project from your container repositories, make sure to enable these APIs in both the project containing your container repositories and the project containing the Vanta service account.
Via the online console: Go to the following links and follow the instructions:
- Container analysis: https://console.cloud.google.com/flows/enableapi?apiid=containeranalysis.googleapis.com
- Container scanning: https://console.cloud.google.com/flows/enableapi?apiid=containerscanning.googleapis.com
Via Gcloud: Enter the following commands in your terminal:
gcloud services enable containerscanning.googleapis.com
gcloud services enable containeranalysis.googleapis.com
Please note that enabling Container Scanning API will incur additional charges from GCP.
For additional information on GCP container analysis, please refer to: https://cloud.google.com/container-analysis/docs/container-analysis
Microsoft Defender for Containers
- Vanta's Microsoft Defender for Cloud Scanning integration fetches data from Microsoft Defender Vulnerability Management. Microsoft Defender Vulnerability Management is a feature that automatically scans containers uploaded to Azure Container Registry for vulnerabilities.
If you already use Defender for Cloud, you don't need to take any action - you should already see vulnerabilities from ACR repositories reflected on Vanta's Vulnerabilities page.
-
From Defender for Cloud's menu, open the Settings page and select the relevant subscription.
-
In the Defender plans page, select Defender for Containers and select Settings.
-
Turn the relevant component on to enable it.
Within an hour of enabling, ACR repositories and vulnerabilities should start being displayed on Vanta's Vulnerabilities page.
GitHub Dependabot
- Vanta requests permission to read Dependabot alerts when connecting the GitHub integration by default.
To confirm Dependabot is enabled for vulnerability scanning in your monitor repositories, see GitHub's Dependabot Quick Start Guide.
Snyk
Viewing vulnerabilities
- Vanta will fetch the vulnerabilities from the latest container image uploaded to each container repository. You may click on a repository from the Vulnerabilities page to view more details about the vulnerabilities and Vanta-assigned SLA deadlines.
Scope
- If a container repository is irrelevant, you may mark it out of scope using the scoping option from the Integrations page. This will also mark any vulnerabilities on that container repository as out of scope.
Alerts
- You will receive an email notification regarding any new vulnerabilities or upcoming SLA deadlines.
Remediation tracking/audit evidence
- Vulnerability remediation and SLA information are tracked in the history tab, including SLA misses, and on-time remediations