1. Overview

Twistlock scans all Docker images on all hosts that run Defender. After Defender is installed, it automatically starts scanning images on the host. After the initial scan, subsequent scans are triggered:

  • Periodically, according to the scan interval configured in Console. By default, images are scanned every 24 hours.

  • When new images are created, pushed, or pulled onto the host.

  • When images change.

  • When scans are forced with the Scan button in Console.

Defender scans Docker images for:

  • Published Common Vulnerabilities and Exposures (CVEs).

  • Vulnerabilities from misconfigurations.

  • Malware

  • Zero day vulnerabilities

  • Compliance issues

  • Secrets

The Twistlock Intelligence Stream keeps Console up to date with the latest vulnerabilities. The data in this feed is distributed to your Defenders, and employed in subsequent scans.

Through Console, Defender can be extended to scan images for custom components. For example, you can configure Defender to scan for an internally developed library named libexample.so, and set a policy to block a container from running if version 1.9.9 or earlier at installed. For more information, see Scanning custom components.

2. Image scan reports

To see a summary of the health of all the images in your environment:

Procedure

  1. Open Console, then go to Monitor > Vulnerabilities > Images.

    The table summarizes the state of each image in your environment.

    All vulnerabilities identified in the last image scan can be exported to a CSV file by clicking the CSV button in the top left of the page.

    image scan reports summary
  2. Click on an image report to open a detailed report.

  3. Click on the Vulnerabilities tab to see all CVE issues.

    CVE vulnerabilities are accompanied by a brief description. Click Show details for more information, including a link to the report on the National Vulnerability Database.

The Vendor Status column contains terms such as 'deferred', 'fixed in…​', and 'open'. These strings are imported directly from the vendors' CVE databases. They are not Twistlock-specific.

image scan reports vendor status

3. Per-layer vulnerability analysis

To make it easier to understand how images are constructed and what components have vulnerabilities, Twistlock correlates vulnerabilities to layers. This tool helps you assess how vulnerabilities were introduced into an image, and pick a starting point for remediation.

To see the layer analysis, click on an image to open the scan report, then click the Layers tab.

image scan reports layers tool

3.1. RHEL images

The Twistlock layers tool shows the instructions used to create each layer in an image. RHEL images, however, don’t contain the necessary metadata, so the Twistlock layers tool shows an empty black box.

image scan reports rhel image

To validate the required metadata is absent, run docker history IMAGE-ID on a non-RHEL image. The CREATED BY column is fully populated.

image scan reports docker history normal

Next, run docker history IMAGE-ID on a RHEL image. Notice that the CREATED BY column is empty.

image scan reports docker history rhel

4. Packages in use

Twistlock uses risk scores to calculate the severity of vulnerabilities in your environment. One of the factors in the risk score is called "Package in use", which indicates a package is utilized by running software.

Scan reports have a Package info tab, which lists all the packages installed in an image or host. It also shows all active packages, which are packages used by running sofware.

To see these active packages, open a scan report, open the Package info tab, and look at the Binaries column (see the App column in host scan reports). This column shows what’s actually running in the container. For example, the fluent/fluentd:latest container in the following screenshot runs /usr/bin/ruby. One of the packages utilized by the Ruby runtime is the bigdecimal gem. If you were prioritizing mitigation work, and there were a severe vulnerability in bigdecimal, bigdecimal would be a good candidate to address first.

scan reports packages in use

5. Per-finding timestamps

Twistlock’s image scan reports show the following per-vulnerability timestamps:

  • Age of the vulnerability based on the discovery date. This is the first date that the Twistlock scanner found the vulnerability.

  • Age of the vulnerability based on its published date. This represents the date the vulnerability was announced to the world.

Host scan reports and registry scan reports show the published date only.

scan reports timestamped findings

Timestamps are per-image, per-vulnerability. For example, if CVE-2019-1234 was found in image foo/foo:3.1 last week and image bar/bar:7.8 is created from foo/foo:3.1 today, then the scan results for foo show the discovery date for CVE-2019-1234 to be last week and for bar it shows today.

Timestamped findings are useful when you have time-based SLAs for remediating vulnerabilities (e.g. all critical CVEs must be fixed within 30 days). Per-finding timestamp data makes it possible to track compliance with these SLAs.

6. Host scanning

Twistlock also scans your hosts for vulnerabilities. To see the scan report for your hosts, go to Monitor > Vulnerabilities > Hosts.

By default, all vulnerable packages, according to your policy, are listed. However, you can also examine vulnerabilities specific to an app (systemd service). Use the drop-down list to select an app. Clear the selection to see all vulnerabilities for a host.

scan reports host apps

The Package Info tab lists all packages installed on the host. If a package has a component utilized by a running app, the affected running apps are listed in the Apps column.

Twistlock also collects and displays package license details. License information is available at all places where package details are displayed, such as Monitor > Vulnerabilities > Images (under the Package Info tab), Monitor > Vulnerabilities > Hosts and Monitor > Vulnerabilities > Registry, as well as the corresponding API endpoints.

image scan reports 761336
Licensing compliance is currently supported only for viewing purposes and cannot be included in policies for alert/block capabilities.

7. Scan status

The initial scan can take substantial time when you have a large number of images. Subsequent scans are much faster.

To see the status of the image scans, go to Monitor > Vulnerabilities > Images.

Each row in the table represents an image in your environment.

If an image is being scanned, a progress bar shows the status of the scan. If there is no progress bar, the scan has completed.

8. Package types

Twistlock uses compliance identification numbers to designate the package type when reporting vulnerabilities in images. Compliance IDs can be found in the CSV export files and API responses.

To download image reports in CSV format, go to Monitor > Vulnerabilities > Images, and click the CSV button at the top of the table. The Compliance ID, Type, and Packages fields report the package ID, package type, and package name respectively. The API output reports compliance IDs only.

scan reports csv packages

The following table shows how compliance IDs map to package type.

Compliance ID number Package type

46

Operating system/distro packages

47

JAR files

48

Gem files

49

Node.js

410

Python

411

ie. MySgl

412

Custom (set by customer)

415

Nuget