90-Day Image Age
No violationsstackroxlowbuilddeployAlert on deployments with images that haven't been updated in 90 days
- Rationale
- Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.
- Remediation
- Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 28.1Art. 9.2Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2SI-2SR-4
- PCI DSS 4.0
- 2.2.16.3.36.4.3
- SOC 2 2017 TSC
- CC6.8CC8.1
Generated artifacts
1 of 5 targets supported90-day-image-age.rego
# 90-Day Image Age (trivy)
# severity: low
# source: stackrox/2db9a279-2aec-4618-a85d-7f1bdf4911b1
package trivy.90_day_image_age
deny[msg] {
# rule 1
# image age > 90 days
time.now_ns() - input.Created > 7776000 * 1000000000
msg := "[low] 90-Day Image Age: Alert on deployments with images that haven't been updated in 90 days"
}
IR (canonical)
{
"id": "2db9a279-2aec-4618-a85d-7f1bdf4911b1",
"name": "90-Day Image Age",
"description": "Alert on deployments with images that haven't been updated in 90 days",
"rationale": "Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.",
"remediation": "Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.",
"severity": "low",
"categories": [
"DevOps Best Practices",
"Security Best Practices",
"Supply Chain Security"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "image-age",
"values": [
"90"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "2db9a279-2aec-4618-a85d-7f1bdf4911b1",
"name": "90-Day Image Age",
"description": "Alert on deployments with images that haven't been updated in 90 days",
"rationale": "Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.",
"remediation": "Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.",
"disabled": false,
"categories": [
"DevOps Best Practices",
"Security Best Practices",
"Supply Chain Security"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Image Age",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "90"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}