By default, Twistlock reports all vulnerabilities. Setting the minimum reported severity lets you clean up the reported vulnerabilities to an actionable set.
To configure a minimum severity, install a new vulnerability rule, which overrides the default rule. Note that Twistlock maps the Common Vulnerability Scoring System (CVSS) to a grading system that ranges from Low to Critical.
Open Console, and go to Defend > Vulnerabilities > Policy.
Click Add rule.
Give your rule a name.
In the table of Severity based actions, set the Severity in each row to an appropriate level. For example, if you want to concentrate on just the most severe issues, set every row to Critical.
Click Save.
View the scan reports for all the entities in your system.
Go to Monitor > Vulnerabilities. All reported vulnerabilities match or exceed the severity setting in your custom rule.
Twistlock lets you scan for insecure versions of proprietary software components.
First, augment Twistlock’s Intelligence Stream with your own custom data that specifies a package type, name, and version number. Then configure Twistlock to take action (alert, block) when the scanner finds this package in an image. By default, Twistlock raises an alert when it detects a vulnerability in a custom component.
Twistlock supports the following package types:
Distro packages (deb, rpm).
Binaries.
Nodejs packages.
Python packages.
Ruby gems.
Java artifacts (JAR files).
For cases where Twistlock does not offer built-in support for a package type, you can specify an MD5 hash for the file.
Open Console.
Go to Manage > System > Custom Feeds.
Click on Custom Vulnerabilities.
Click Add.
Enter a name for your vulnerability..
From the drop-down list, select a package type.
For Debian packages, RPM packages, and shared libraries, select package.
If your package type is not supported, select binary.
Enter the name of your package/binary.
Package names can be specified using wild cards (*).
Specify the range of package versions for which your rule applies.
The following formats can be used to specify versions:
Rule | Format | Example |
---|---|---|
Specific version |
Enter a single multi-dot number. |
1.1 |
Range of versions: Min and max are known. |
Enter two multi-dot numbers, separated by a dash. |
5.4-5.5 |
Range of versions: Only min version is known. |
Specify a multi-dot number for the minimum version, followed by a dash, then a wild card. |
0.22.4.1-* |
Range of versions: Only max version is known. |
Specify a wild card (*) for the minimum version, followed by a dash, then a multi-dot number for the maximum version. |
*-0.22.4.1 |
If package type is set to binary, the version fields are not visible. Instead, enter the MD5 hash for your file or binary.
Click Save.
Your custom vulnerability is now available to the scanner.
By default, an alert is logged if an image scan detects a component that you have designated as vulnerable. To see the default rule, go to Defend > Vulnerabilities > Images, and click on the Default - alert all components rule. To change the default rule, select a different Alert or block threshold. To take a different action, create a new vulnerability rule.