Back to catalog

90-Day Image Age

No violationsstackroxlowbuilddeploy

Alert on deployments with images that haven't been updated in 90 days

Rationale
Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.
Remediation
Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 28.1Art. 9.2Art. 9.4(c)
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2SI-2SR-4
PCI DSS 4.0
2.2.16.3.36.4.3
SOC 2 2017 TSC
CC6.8CC8.1

Generated artifacts

1 of 5 targets supported
90-day-image-age.rego
# 90-Day Image Age (trivy)
# severity: low
# source: stackrox/2db9a279-2aec-4618-a85d-7f1bdf4911b1
package trivy.90_day_image_age

deny[msg] {
  # rule 1
  # image age > 90 days
  time.now_ns() - input.Created > 7776000 * 1000000000
  msg := "[low] 90-Day Image Age: Alert on deployments with images that haven't been updated in 90 days"
}
IR (canonical)
{
  "id": "2db9a279-2aec-4618-a85d-7f1bdf4911b1",
  "name": "90-Day Image Age",
  "description": "Alert on deployments with images that haven't been updated in 90 days",
  "rationale": "Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.",
  "remediation": "Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "image-age",
    "values": [
      "90"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "2db9a279-2aec-4618-a85d-7f1bdf4911b1",
  "name": "90-Day Image Age",
  "description": "Alert on deployments with images that haven't been updated in 90 days",
  "rationale": "Base images are updated frequently with bug fixes and vulnerability patches. Image age exceeding 90 days may indicate a higher risk of vulnerabilities existing in the image.",
  "remediation": "Rebuild your image, push a new minor version (with a new immutable tag), and update your service to use it.",
  "disabled": false,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Image Age",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "90"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}