Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches
No violationsstackroxmediumbuildImages should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them.
- Rationale
- Vulnerabilities are loopholes or bugs that can be exploited by hackers or malicious users, and security patches are updates to resolve these vulnerabilities. Image vulnerability scanning tools can be use to find vulnerabilities in images and then check for available patches to mitigate these. Patches update the system to a more recent code base which does not contain these problems, and being on a supported version of the code base is very important, as vendors do not tend to supply patches for older versions which have gone out of support. Security patches should be evaluated before applying and patching should be implemented in line with the organization's IT Security Policy. Care should be taken with the results returned by vulnerability assessment tools, as some will simply return results based on software banners, and these may not be entirely accurate.
- Remediation
- Images should be re-built ensuring that the latest version of the base images are used, to keep the operating system patch level at an appropriate level. Once the images have been re-built, containers should be re-started making use of the updated images.
CategoriesDocker CIS
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2SI-2
- PCI DSS 4.0
- 2.2.16.3.3
Generated artifacts
1 of 5 targets supporteddocker-cis-4-4-ensure-images-are-scanned-and-rebuilt-to-include.rego
# Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches (trivy)
# severity: medium
# source: stackrox/08a06f5c-eed0-4fb8-a09e-16cc975e7beb
package trivy.docker_cis_4_4_ensure_images_are_scanned_and_rebuilt_to_include
deny[msg] {
# rule 1
some v
v := input.Vulnerabilities[_]
v.FixedVersion != ""
msg := "[medium] Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches: Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them."
}
IR (canonical)
{
"id": "08a06f5c-eed0-4fb8-a09e-16cc975e7beb",
"name": "Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches",
"description": "Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them.",
"rationale": "Vulnerabilities are loopholes or bugs that can be exploited by hackers or malicious users, and security patches are updates to resolve these vulnerabilities. Image vulnerability scanning tools can be use to find vulnerabilities in images and then check for available patches to mitigate these. Patches update the system to a more recent code base which does not contain these problems, and being on a supported version of the code base is very important, as vendors do not tend to supply patches for older versions which have gone out of support. Security patches should be evaluated before applying and patching should be implemented in line with the organization's IT Security Policy. Care should be taken with the results returned by vulnerability assessment tools, as some will simply return results based on software banners, and these may not be entirely accurate.",
"remediation": "Images should be re-built ensuring that the latest version of the base images are used, to keep the operating system patch level at an appropriate level. Once the images have been re-built, containers should be re-started making use of the updated images.",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"build"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "fixed-by",
"values": [
".*"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "08a06f5c-eed0-4fb8-a09e-16cc975e7beb",
"name": "Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches",
"description": "Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them.",
"rationale": "Vulnerabilities are loopholes or bugs that can be exploited by hackers or malicious users, and security patches are updates to resolve these vulnerabilities. Image vulnerability scanning tools can be use to find vulnerabilities in images and then check for available patches to mitigate these. Patches update the system to a more recent code base which does not contain these problems, and being on a supported version of the code base is very important, as vendors do not tend to supply patches for older versions which have gone out of support. Security patches should be evaluated before applying and patching should be implemented in line with the organization's IT Security Policy. Care should be taken with the results returned by vulnerability assessment tools, as some will simply return results based on software banners, and these may not be entirely accurate.",
"remediation": "Images should be re-built ensuring that the latest version of the base images are used, to keep the operating system patch level at an appropriate level. Once the images have been re-built, containers should be re-started making use of the updated images.",
"disabled": true,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"BUILD"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Fixed By",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ".*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}