Table of contents

Configure runtime vulnerability scanning

Runtime vulnerability scanning provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters where you have Container Security installed. It provides a list of vulnerabilities, sorted based on severity, which you can select for additional information to provide context within the vulnerability view. You can search for a vulnerability by name, and filter by severity level or CVE score.

At this time, runtime vulnerability scanning cannot be used to scan registries. If you need to scan container image registries, see Trend Micro Smart Check. Runtime vulnerability scanning results do not currently integrate with deployment control and continuous compliance policies.

Vulnerability details include:

  • Vulnerability Information: A description of the vulnerability, a link to details (like those listed in the Common Vulnerabilities and Exposures (CVE®) list), the vulnerable package and version, and the version of the vulnerable package which contains the fix (if available).
  • Image Information: The container image where the vulnerability was detected.
  • Detection Information: A list of workloads in which the vulnerability was detected including the namespace, type, container, and last detection time for each of these workloads.

Runtime vulnerability scanning cluster resource requirements

Cluster worker nodes are required to have at least 2 vCPU and 8 GiB Memory. For more details on the specifications and default limits for these components, you can check the resources section in the helm chart.

Enable runtime vulnerability scanning

Register a cluster to Container Security by following the instructions in Add a cluster.

To enable runtime vulnerability scanning:

  1. Add vulnerabilityScanning.enabled=true to your overrides YAML file (usually overrides.yaml):

    cloudOne:
        apiKey: <API_KEY>
        endpoint: <ENDPOINT>
        vulnerabilityScanning:
            enabled: true
  2. Upgrade Container Security using the following command:

    helm upgrade \
        trendmicro \
        --namespace trendmicro-system --create-namespace \
        --values overrides.yaml \
        https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz

Enabling runtime vulnerability scanning should add scan-manager and workload-operator pods in a "Ready" state in the cluster.

View vulnerabilities

To view vulnerabilities, you'll first need to configure runtime vulnerability scanning.

The Vulnerability icon Vulnerability View page displays vulnerabilities currently running in your clusters, sorted by severity. You can search vulnerabilities by name, and filter results by severity level or CVE score.

Configure runtime vulnerability scanning for OpenShift

On OpenShift, new namespaces created after installing container security need to be configured by upgrading container security to create RBAC resources and provide scanners in the new namespaces the required privileges. Run the following command to upgrade:

helm upgrade \
    --namespace trendmicro-system \
    --reuse-values \
    trendmicro \
    https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz

Troubleshooting

This section covers some commonly seen issues in runtime vulnerability scanning, and how to address them.

Scanner pods are getting terminated with an OOMKilled status

Scanner pod status can be observed through tools such kubectl. In this situation, the following log might be observed by running kubectl describe nodes:

Memory cgroup out of memory: Killed process xxxxx (sbom-job)
During normal operations, every unique image deployed in your cluster triggers a scanner pod. This scan job generates a Software Bill of Material (SBOM) for the deployed image, and the SBOM is sent to Cloud One for further analysis. If the generated SBOM is larger than the default maximum memory limit of the scan job, then the pod will be terminated with an OOMKilled status. Exceptionally large images (such as machine learning images), could lead to exceptionally large SBOMs. To remediate this issue, you can override the default maximum memory limit of the scan job in your helm overrides YAML file (usually overrides.yaml):
cloudOne:
    apiKey: <API_KEY>
    endpoint: <ENDPOINT>
    vulnerabilityScanning:
        enabled: true
resources:
    scanner:
        limits:
            memory: 1024Mi
To apply the new configuration, run the helm upgrade command as described here. If you continue encountering the same problem, consider increasing the scanner memory again (for example, 2048Mi).

Discovered vulnerabilities are disappearing from the vulnerability view

The runtime scanning vulnerability view is currently a live representation of vulnerabilities in your cluster. Once a vulnerability is no longer running in the cluster (the vulnerable container is terminated), it will be immediately removed from the vulnerability view.