Images with no scans
No violationsstackroxmediumdeployAlert on deployments with images that have not been scanned
- Rationale
- Without a scan, there will be no vulnerability information for this image
- Remediation
- Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.
CategoriesSupply Chain SecurityVulnerability Management
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 28.1Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.25A.8.8
- NIST SP 800-53 rev. 5
- RA-5SR-4
- PCI DSS 4.0
- 11.3.16.3.16.4.3
- SOC 2 2017 TSC
- CC6.8CC7.1
Generated artifacts
2 of 5 targets supportedimages-with-no-scans.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: images-with-no-scans
annotations:
policies.kyverno.io/title: Images with no scans
policies.kyverno.io/category: Supply Chain Security, Vulnerability Management
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alert on deployments with images that have not been scanned
policies.kyverno.io/remediation: Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.
policies.kyverno.io/rationale: Without a scan, there will be no vulnerability information for this image
policies.io/source: stackrox
policies.io/source-id: 13b4eddc-2619-4953-b1ee-4c762144ca1e
spec:
validationFailureAction: Audit
background: true
rules:
- name: images-with-no-scans
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Images with no scans" violated: Alert on deployments with images that have not been scanned'
deny:
conditions:
all:
- key: "{{ images.containers.*.scanReport || `[]` }}"
operator: AnyIn
value:
- null
message: image has no scan report; integrate with a verifier
IR (canonical)
{
"id": "13b4eddc-2619-4953-b1ee-4c762144ca1e",
"name": "Images with no scans",
"description": "Alert on deployments with images that have not been scanned",
"rationale": "Without a scan, there will be no vulnerability information for this image",
"remediation": "Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.",
"severity": "medium",
"categories": [
"Supply Chain Security",
"Vulnerability Management"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "unscanned-image",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "13b4eddc-2619-4953-b1ee-4c762144ca1e",
"name": "Images with no scans",
"description": "Alert on deployments with images that have not been scanned",
"rationale": "Without a scan, there will be no vulnerability information for this image",
"remediation": "Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.",
"disabled": true,
"categories": [
"Supply Chain Security",
"Vulnerability Management"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Unscanned Image",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}