Back to catalog

Images with no scans

No violationsstackroxmediumdeploy

Alert on deployments with images that have not been scanned

Rationale
Without a scan, there will be no vulnerability information for this image
Remediation
Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.
CategoriesSupply Chain SecurityVulnerability Management
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 28.1Art. 9.4(c)
ISO/IEC 27001 2022
A.8.25A.8.8
NIST SP 800-53 rev. 5
RA-5SR-4
PCI DSS 4.0
11.3.16.3.16.4.3
SOC 2 2017 TSC
CC6.8CC7.1

Generated artifacts

2 of 5 targets supported
images-with-no-scans.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: images-with-no-scans
  annotations:
    policies.kyverno.io/title: Images with no scans
    policies.kyverno.io/category: Supply Chain Security, Vulnerability Management
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Alert on deployments with images that have not been scanned
    policies.kyverno.io/remediation: Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.
    policies.kyverno.io/rationale: Without a scan, there will be no vulnerability information for this image
    policies.io/source: stackrox
    policies.io/source-id: 13b4eddc-2619-4953-b1ee-4c762144ca1e
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: images-with-no-scans
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Images with no scans" violated: Alert on deployments with images that have not been scanned'
        deny:
          conditions:
            all:
              - key: "{{ images.containers.*.scanReport || `[]` }}"
                operator: AnyIn
                value:
                  - null
                message: image has no scan report; integrate with a verifier
IR (canonical)
{
  "id": "13b4eddc-2619-4953-b1ee-4c762144ca1e",
  "name": "Images with no scans",
  "description": "Alert on deployments with images that have not been scanned",
  "rationale": "Without a scan, there will be no vulnerability information for this image",
  "remediation": "Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.",
  "severity": "medium",
  "categories": [
    "Supply Chain Security",
    "Vulnerability Management"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "unscanned-image",
    "values": [
      "true"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "13b4eddc-2619-4953-b1ee-4c762144ca1e",
  "name": "Images with no scans",
  "description": "Alert on deployments with images that have not been scanned",
  "rationale": "Without a scan, there will be no vulnerability information for this image",
  "remediation": "Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images.",
  "disabled": true,
  "categories": [
    "Supply Chain Security",
    "Vulnerability Management"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Unscanned Image",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}