Fortinet black logo

Administration Guide

Home Lacework FortiCNAPP Administration Guide

Container Vulnerability Policies

Container Vulnerability Policies

Overview

Create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. A policy is a set of rules that can define the following:

  • The conditions to be triggered, for example:
    • Any critical vulnerability with a fix available.
    • A base image not including the latest tag.
    • A dockerfile invoking root or sudo user.
  • A severity, such as low, medium, high, or critical.
  • An action for build-time, such as alert, warn, or block.
  • The status of the policy: Enabled or Disabled.

Each policy can be associated with a registry integration that has been configured in Lacework FortiCNAPP. This includes Proxy and Inline Scanner integrations (Kubernetes Admission Controller integrations are also included as the Proxy Scanner is deployed as part of those integrations).

Lacework FortiCNAPP also provides a number of default policies that can be enabled or disabled depending on your requirements.

Vulnerability Policy Management

All container vulnerability policies are managed through the Policies page in the Lacework FortiCNAPP Console.

Default policies are read-only except for the Action on failure, Status, and Scope fields.

Tooltip

View Container Vulnerability Policies by using the Domain: Container filter on the Policies page.

Create a Policy

Follow these steps to create a container vulnerability policy:

  1. Click Policies.
  2. Create new policies by cloning existing ones. Locate and click the policy you want to base your policy on. Ensure that the policy type is correct for your new policy, as this field cannot be edited.
  3. In the policy window:
    • If the Clone policy icon is available, you can clone the policy.
    • If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
  4. Once cloned, click the edit option for the title to provide the event name that is generated when the policy triggers. Click Save when complete.
  5. On the Summary tab, edit the Description field and change the Action on failure and Severity fields as desired. Click Save when complete.
  6. Click the Query tab in the policy drawer and fill in your parameters. The subsections in Container Vulnerability Policy Types provide the available parameters for each Type.
  7. Click Save after completing the parameters.
  8. The policy is enabled by default. If you want to disable the policy, toggle the Status.

Container Vulnerability Policy Types

All container vulnerability policies are managed through the Policies page. The subsections below detail the parameters for each Type.

CVE

Define the disallowed package names or CVE IDs that will cause a violation to occur when found on an image. You can also define the maximum number of CVEs (including severity and fixability) that can be found on an image before a violation occurs.

Parameter Data Type & Operators Description
Package name String
• includes any of		 Specify the name of the software package(s), such as vim. You can specify multiple values, but they will be considered as "or" values (rather than "and").
CVE ID String
• includes any of		 Specify the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values, but they will be considered as "or" values (rather than "and").
CVE count CVE count (integer)
• Greater than

Severity (string)
• includes

Fixability (string)
• matches		 Specify the number of CVEs that would need to be discovered in an image before the policy is triggered.

Define the policy criteria further by including the severity (Critical,High,Medium,Low,Info) level and fixability (All,Fixable) of the CVEs.

Image

Define the allowed image tags or labels for your container registries. Any tag or label that does not match the final filter (data type + operator) will cause a violation to occur.

Parameter Data Type & Operators Description
Image Tag String
• does not include		 Specify the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values but they will be considered as "or" values (rather than "and").
Image Label String
• includes any of		 Specify the image label(s), such as author, maintainer, or buildID. You can specify multiple values, but they will be considered as "or" values (rather than "and").

Dockerfile

Define any commands (or any string) that will cause a violation when found in a Dockerfile.

Parameter Data Type & Operators Description
Dockerfile String
• includes
• does not include		 Check for specific strings in your dockerfile, such as sudo, or USER root. You can specify multiple values but they will be considered as "or" values (rather than "and").

Edit a Policy

To edit a policy, click a policy in the Policies page and then click the edit option.

Delete a Policy

To delete a policy, click it in the Policies page and then click the delete option.

Disable/Enable a Policy

On the Policies page, find the policy and click the Status toggle to disable or enable the policy.

Associate Policies with a Registry Integration

For each registry integration, an optional setting can be used to enable container vulnerability policies (also known as CI/CD policies).

  1. The first step depends on whether this is a new or existing integration:

    1. For new integrations, follow the steps to Create a Proxy Scanner Integration in Lacework FortiCNAPP up to when you reach the Optional Settings page.
    2. For existing integrations, go to Settings > Integrations > Container Registries in the Lacework FortiCNAPP Console. Select the registry by clicking the checkbox on the left-hand column and click the Edit icon. Proceed to the Optional Settings page.

  2. Click Select policies (optional) underneath CI / CD Policies to view a table of all container vulnerability policies.

  3. Select individual policies by clicking the checkbox on the left-hand column. If you want to enable all policies, click the checkbox for the entire column.

    Select which columns are displayed by using the Select columns option.

  4. Click Add to integration once you have selected your policies.

    The policies are listed on the Optional Settings page. If/When returning to this page, click the edit icon if you want to add or remove policies.

  5. Finish configuring any other optional settings and click Save.

Dissociate policies with a registry integration at any time by repeating this procedure and deselecting the policies during step 3.

Associate Registry Integrations with a Policy

Associate registries with a container vulnerability policy on the Policies page in the Lacework FortiCNAPP Console.

  1. On the Policies page, click the policy that you want to associate a registry (or registries) with.

    Tooltip

    Use the Container filter to display only container vulnerability policies.

  2. To add registry integrations to the policy, click the edit option in the Scope field (Summary tab).

  3. To select individual registries, select the checkbox in the left-hand column. If you want to enable all registries for this policy, select the checkbox for the entire column.

    Select which columns are displayed by using the Select columns option.

  4. Click Add to policy once you have selected your registries.

    The registry integrations are then displayed in the Scope field.

Dissociate registry integrations with a policy at any time by repeating this procedure and deselecting the registries during step 3.

Action on Failure

Define what action is taken when a policy failure occurs.

  1. On the Policies page in the Lacework FortiCNAPP Console, filter or search for your specific policy.

  2. Click a policy in the policy list to view the drawer.

  3. In the Summary tab, select the option you prefer for Action on failure:

    Allow: This permits container image deployment to continue even when the policy fails.

    Block: This blocks container image deployment when the policy fails.

Any change is reflected in new container deployments where policies are associated with a registry integration or are in the scope of the policy. New policy changes will be fully active within 5 minutes on the container registry integration (this includes Inline, Proxy, or Admission Controller with Proxy Scanner integrations).

Policy Changes

Any changes to policies will be fully propagated to the container registry integration within 5 minutes.

Policy Evaluation Results

View evaluation results for container vulnerability policies on the Vulnerabilities > Containers page.

Click on an image name in the vulnerabilities list and click the Policies tab to display the evaluation results.

Two charts display the number of failed vs passing policies, and the number of policies by severity.

The following info is shown in the table:

Column Description
Policy A description of the policy. If the policy has failed, you can click on it for information including:
* Resource - The resource related to the policy failure.
* Reason - The reason for the failure of the policy.
Severity The severity level of the policy; Info, Low, Medium, High, or Critical.
Status Whether the image evaluation has passed or failed for this policy.

Using Helm

Helm informs you when a successful deployment occurs for a Kubernetes cluster. If the deployment is blocked due to a policy violation, check the Admission Controller logs for failures.

Default Policies

Default policies are read-only except for the Action on failure, Status, and Scope fields.

There are a number of default policies that are enabled by default for container vulnerability. The following table lists each default policy that we provide:

Policy ID Event Generated by Policy Description
LW_CONTAINER_POLICY_1 Disallowed packages PackageName includes any of package1, package2.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_2 Disallowed CVEs CVE ID includes any of CVE-2020-1234.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_3 Critical, fixable CVEs Critical and fixable CVE count greater than 0.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_4 Critical CVEs Critical CVE count greater than 0.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_5 Image with a 'latest' tag Image Tag does not include latest
LW_CONTAINER_POLICY_6 Missing required image labels Image Label includes any of author, maintainer, or buildID
LW_CONTAINER_POLICY_7 ENTRYPOINT defined with root privilege Dockerfile includes ENTRYPOINT ["sudo"*
LW_CONTAINER_POLICY_8 apt-get upgrade, apk upgrade, or dist-upgrade commands Dockerfile Dockerfile includes apt-get get upgrade, apk upgrade, dist-upgrade
LW_CONTAINER_POLICY_9 ’apk add’ is not used with --no-cache in Dockerfile Dockerfile includes apk *--no-cache
Note: This policy has been removed due to incorrect behavior.
LW_CONTAINER_POLICY_10 apt-get caches are not cleared in Dockerfile Dockerfile does not include apt-get clean
LW_CONTAINER_POLICY_11 USER is not defined in Dockerfile Dockerfile does not include USER
LW_CONTAINER_POLICY_12 USER is defined as root Dockerfile includes USER root
LW_CONTAINER_POLICY_13 sudo command used in Dockerfile Dockerfile includes sudo

Edit a Default Policy

Default Policies cannot be edited except for the Action on failure, Status, and Scope fields. They can be cloned or you can disable the default policy if required.

Delete a Default Policy

Default policies cannot be deleted, only disabled.

Disable/Enable a Default Policy

On the Policies page, find the default policy and click the Status toggle to disable or enable the policy.

Policies Chart

The Policies page display a visual summary detailing the following information:

  • Coverage - Shows total number of policies, including the number of enabled vs disabled, and the number of policy exceptions.
  • Policy Types - Shows the number of default vs custom policies.
  • Policies By Severity - Shows the number of policies for each severity.

The chart updates when any filters are active.

Inline Scanner Support

Container Vulnerability Policies can be used with the Inline Scanner trigger exit codes during image evaluations. Find out more in the policy support section for Inline Scanner.

Previous
Next

Container Vulnerability Policies

Container Vulnerability Policies

Overview

Create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. A policy is a set of rules that can define the following:

  • The conditions to be triggered, for example:
    • Any critical vulnerability with a fix available.
    • A base image not including the latest tag.
    • A dockerfile invoking root or sudo user.
  • A severity, such as low, medium, high, or critical.
  • An action for build-time, such as alert, warn, or block.
  • The status of the policy: Enabled or Disabled.

Each policy can be associated with a registry integration that has been configured in Lacework FortiCNAPP. This includes Proxy and Inline Scanner integrations (Kubernetes Admission Controller integrations are also included as the Proxy Scanner is deployed as part of those integrations).

Lacework FortiCNAPP also provides a number of default policies that can be enabled or disabled depending on your requirements.

Vulnerability Policy Management

All container vulnerability policies are managed through the Policies page in the Lacework FortiCNAPP Console.

Default policies are read-only except for the Action on failure, Status, and Scope fields.

Tooltip

View Container Vulnerability Policies by using the Domain: Container filter on the Policies page.

Create a Policy

Follow these steps to create a container vulnerability policy:

  1. Click Policies.
  2. Create new policies by cloning existing ones. Locate and click the policy you want to base your policy on. Ensure that the policy type is correct for your new policy, as this field cannot be edited.
  3. In the policy window:
    • If the Clone policy icon is available, you can clone the policy.
    • If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
  4. Once cloned, click the edit option for the title to provide the event name that is generated when the policy triggers. Click Save when complete.
  5. On the Summary tab, edit the Description field and change the Action on failure and Severity fields as desired. Click Save when complete.
  6. Click the Query tab in the policy drawer and fill in your parameters. The subsections in Container Vulnerability Policy Types provide the available parameters for each Type.
  7. Click Save after completing the parameters.
  8. The policy is enabled by default. If you want to disable the policy, toggle the Status.

Container Vulnerability Policy Types

All container vulnerability policies are managed through the Policies page. The subsections below detail the parameters for each Type.

CVE

Define the disallowed package names or CVE IDs that will cause a violation to occur when found on an image. You can also define the maximum number of CVEs (including severity and fixability) that can be found on an image before a violation occurs.

Parameter Data Type & Operators Description
Package name String
• includes any of		 Specify the name of the software package(s), such as vim. You can specify multiple values, but they will be considered as "or" values (rather than "and").
CVE ID String
• includes any of		 Specify the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values, but they will be considered as "or" values (rather than "and").
CVE count CVE count (integer)
• Greater than

Severity (string)
• includes

Fixability (string)
• matches		 Specify the number of CVEs that would need to be discovered in an image before the policy is triggered.

Define the policy criteria further by including the severity (Critical,High,Medium,Low,Info) level and fixability (All,Fixable) of the CVEs.

Image

Define the allowed image tags or labels for your container registries. Any tag or label that does not match the final filter (data type + operator) will cause a violation to occur.

Parameter Data Type & Operators Description
Image Tag String
• does not include		 Specify the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values but they will be considered as "or" values (rather than "and").
Image Label String
• includes any of		 Specify the image label(s), such as author, maintainer, or buildID. You can specify multiple values, but they will be considered as "or" values (rather than "and").

Dockerfile

Define any commands (or any string) that will cause a violation when found in a Dockerfile.

Parameter Data Type & Operators Description
Dockerfile String
• includes
• does not include		 Check for specific strings in your dockerfile, such as sudo, or USER root. You can specify multiple values but they will be considered as "or" values (rather than "and").

Edit a Policy

To edit a policy, click a policy in the Policies page and then click the edit option.

Delete a Policy

To delete a policy, click it in the Policies page and then click the delete option.

Disable/Enable a Policy

On the Policies page, find the policy and click the Status toggle to disable or enable the policy.

Associate Policies with a Registry Integration

For each registry integration, an optional setting can be used to enable container vulnerability policies (also known as CI/CD policies).

  1. The first step depends on whether this is a new or existing integration:

    1. For new integrations, follow the steps to Create a Proxy Scanner Integration in Lacework FortiCNAPP up to when you reach the Optional Settings page.
    2. For existing integrations, go to Settings > Integrations > Container Registries in the Lacework FortiCNAPP Console. Select the registry by clicking the checkbox on the left-hand column and click the Edit icon. Proceed to the Optional Settings page.

  2. Click Select policies (optional) underneath CI / CD Policies to view a table of all container vulnerability policies.

  3. Select individual policies by clicking the checkbox on the left-hand column. If you want to enable all policies, click the checkbox for the entire column.

    Select which columns are displayed by using the Select columns option.

  4. Click Add to integration once you have selected your policies.

    The policies are listed on the Optional Settings page. If/When returning to this page, click the edit icon if you want to add or remove policies.

  5. Finish configuring any other optional settings and click Save.

Dissociate policies with a registry integration at any time by repeating this procedure and deselecting the policies during step 3.

Associate Registry Integrations with a Policy

Associate registries with a container vulnerability policy on the Policies page in the Lacework FortiCNAPP Console.

  1. On the Policies page, click the policy that you want to associate a registry (or registries) with.

    Tooltip

    Use the Container filter to display only container vulnerability policies.

  2. To add registry integrations to the policy, click the edit option in the Scope field (Summary tab).

  3. To select individual registries, select the checkbox in the left-hand column. If you want to enable all registries for this policy, select the checkbox for the entire column.

    Select which columns are displayed by using the Select columns option.

  4. Click Add to policy once you have selected your registries.

    The registry integrations are then displayed in the Scope field.

Dissociate registry integrations with a policy at any time by repeating this procedure and deselecting the registries during step 3.

Action on Failure

Define what action is taken when a policy failure occurs.

  1. On the Policies page in the Lacework FortiCNAPP Console, filter or search for your specific policy.

  2. Click a policy in the policy list to view the drawer.

  3. In the Summary tab, select the option you prefer for Action on failure:

    Allow: This permits container image deployment to continue even when the policy fails.

    Block: This blocks container image deployment when the policy fails.

Any change is reflected in new container deployments where policies are associated with a registry integration or are in the scope of the policy. New policy changes will be fully active within 5 minutes on the container registry integration (this includes Inline, Proxy, or Admission Controller with Proxy Scanner integrations).

Policy Changes

Any changes to policies will be fully propagated to the container registry integration within 5 minutes.

Policy Evaluation Results

View evaluation results for container vulnerability policies on the Vulnerabilities > Containers page.

Click on an image name in the vulnerabilities list and click the Policies tab to display the evaluation results.

Two charts display the number of failed vs passing policies, and the number of policies by severity.

The following info is shown in the table:

Column Description
Policy A description of the policy. If the policy has failed, you can click on it for information including:
* Resource - The resource related to the policy failure.
* Reason - The reason for the failure of the policy.
Severity The severity level of the policy; Info, Low, Medium, High, or Critical.
Status Whether the image evaluation has passed or failed for this policy.

Using Helm

Helm informs you when a successful deployment occurs for a Kubernetes cluster. If the deployment is blocked due to a policy violation, check the Admission Controller logs for failures.

Default Policies

Default policies are read-only except for the Action on failure, Status, and Scope fields.

There are a number of default policies that are enabled by default for container vulnerability. The following table lists each default policy that we provide:

Policy ID Event Generated by Policy Description
LW_CONTAINER_POLICY_1 Disallowed packages PackageName includes any of package1, package2.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_2 Disallowed CVEs CVE ID includes any of CVE-2020-1234.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_3 Critical, fixable CVEs Critical and fixable CVE count greater than 0.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_4 Critical CVEs Critical CVE count greater than 0.
Note: This is a dummy policy for demonstration purposes only.
LW_CONTAINER_POLICY_5 Image with a 'latest' tag Image Tag does not include latest
LW_CONTAINER_POLICY_6 Missing required image labels Image Label includes any of author, maintainer, or buildID
LW_CONTAINER_POLICY_7 ENTRYPOINT defined with root privilege Dockerfile includes ENTRYPOINT ["sudo"*
LW_CONTAINER_POLICY_8 apt-get upgrade, apk upgrade, or dist-upgrade commands Dockerfile Dockerfile includes apt-get get upgrade, apk upgrade, dist-upgrade
LW_CONTAINER_POLICY_9 ’apk add’ is not used with --no-cache in Dockerfile Dockerfile includes apk *--no-cache
Note: This policy has been removed due to incorrect behavior.
LW_CONTAINER_POLICY_10 apt-get caches are not cleared in Dockerfile Dockerfile does not include apt-get clean
LW_CONTAINER_POLICY_11 USER is not defined in Dockerfile Dockerfile does not include USER
LW_CONTAINER_POLICY_12 USER is defined as root Dockerfile includes USER root
LW_CONTAINER_POLICY_13 sudo command used in Dockerfile Dockerfile includes sudo

Edit a Default Policy

Default Policies cannot be edited except for the Action on failure, Status, and Scope fields. They can be cloned or you can disable the default policy if required.

Delete a Default Policy

Default policies cannot be deleted, only disabled.

Disable/Enable a Default Policy

On the Policies page, find the default policy and click the Status toggle to disable or enable the policy.

Policies Chart

The Policies page display a visual summary detailing the following information:

  • Coverage - Shows total number of policies, including the number of enabled vs disabled, and the number of policy exceptions.
  • Policy Types - Shows the number of default vs custom policies.
  • Policies By Severity - Shows the number of policies for each severity.

The chart updates when any filters are active.

Inline Scanner Support

Container Vulnerability Policies can be used with the Inline Scanner trigger exit codes during image evaluations. Find out more in the policy support section for Inline Scanner.

Previous
Next