Vanta will pull in ECR scans available in Inspector or on the container itself directly. If you see these scans in AWS but aren't showing in Vanta, please contact support@vanta.com!
GCP GCR (Google Cloud Provider, Google Container Registry)
Enabling both the Container Analysis API and Container Scanning API in GCP will enable Vanta to fetch vulnerabilities surfaced by the GCP Container Registry.
The Container Analysis API lets Vanta fetch container metadata. This API is free.
The Container Scanning API enables vulnerability scanning on each container. This may incur additional charges from GCP.
If you're already doing container vulnerability scanning in GCP, both should be enabled already. If not, Vanta recommends you start container scanning, but do decide whether you want to do so yourself. You can learn more about container scanning here. When you're ready, follow the instructions below to enable for each GCP project.
Setup Instructions:
You can enable these APIs via either the online console or thegcloudterminal command.
If you've set up GCP such that the Vanta scanner service account is in a separate project from your container repositories, make sure to enable these APIs in both the project containing your container repositories and the project containing the Vanta service account.
Via the online console: Go to the following links and follow the instructions:
Vanta's Microsoft Defender for Cloud Scanning integration fetches data from Microsoft Defender Vulnerability Management. Microsoft Defender Vulnerability Management is a feature that automatically scans containers uploaded to Azure Container Registry for vulnerabilities.
If you already use Defender for Cloud, you don't need to take any action - you should already see vulnerabilities from ACR repositories reflected on Vanta's Vulnerabilities page.
From Defender for Cloud's menu, open the Settings page and select the relevant subscription.
In the Defender plans page, select Defender for Containers and select Settings.
Turn the relevant component on to enable it.
Within an hour of enabling, ACR repositories and vulnerabilities should start being displayed on Vanta's Vulnerabilities page.
GitHub Dependabot
Vanta requests permission to read Dependabot alerts when connecting the GitHub integration by default. To confirm Dependabot is enabled for vulnerability scanning in your monitor repositories, see GitHub's Dependabot Quick Start Guide.
Vanta will fetch the vulnerabilities from the latest container image uploaded to each container repository. From the Vulnerabilities page, you may click on a repository to view more details about the vulnerabilities and Vanta-assigned SLA deadlines.
Scope
If a container repository is irrelevant, you may mark it out of scope using the scoping option from the Integrations page. This will also mark any vulnerabilities on that container repository as out of scope.
Alerts
You will receive an email notification regarding any new vulnerabilities or upcoming SLA deadlines.
Remediation tracking/audit evidence
Vulnerability remediation and SLA information are tracked in the history tab, including SLA misses and on-time remediations.