1. Overview

You can specify how often Twistlock scans your environment for vulnerabilities and compliance issues. By default, Twistlock scans your environment every 24 hours. Images are re-scanned when changes are detected. For example, pulling a new image triggers a scan.

Twistlock scans for vulnerabilities and/or compliance issues in:

• Images

• PCF Blobstores

• Containers

• Serverless functions

• Hosts

• Cloud platforms

• Registries

Scan intervals can be separately configured for each type of object.

2. Configuring scan intervals

The scan frequency is configurable. By default, Twistlock scans your environment every 24 hours.

Procedure

  1. Open Console.

  2. Go to Manage > System > Scan.

  3. Scroll down to the Scheduling section.

  4. Set the scan intervals for each type according to your requirements.

    Scan intervals are specified in hours.

  5. Scroll to the bottom of the page, and click Save.

Results

Console reports the last time Defender scanned your environment. Go to Manage > Defenders > Manage, and click a row in the table to get a detailed status report for each deployed Defender. The status column shows the last time Defender scanned the containers and images on the host where it runs. When Defender is delegated the registry scanner role, you can also see the last time your registry was scanned.

configure scan intervals defender details

Defender roles are displayed in the Manage > Defenders > Manage table. The following screenshot shows that Defender on host ian-23 is a registry scanner.

configure scan intervals defender list

3. Scan performance

Scanning for malware in archives in container images consumes a lot of resources. The scanner unpacks each archive to search for malicious software. Checksums must be indiviudally calculated for each file. Because of the performance impact and the way containers tend to be used, malware in archives is an unlikely threat. As such, Scan for malware within archives in images is disabled by default.

If this option is enabled, Twistlock supports the following archive file types.

  • ZIP

  • GZ

  • TAR

  • WAR

  • JAR

  • EAR

Note: If the archive is over 512Mb, Twistlock will not scan it.

4. Scan JavaScript components in manifest but not on disk

When this option is enabled, Twistlock scans for vulnerabilities in components listed in manifests, but not actually present in the image or function being scanned. This can be used to identify vulnerable components used in development but can lead to significant numbers of false positive results and is not recommended in production scenarios.

5. Unrated vulnerabilities

When Show vulnerabilities that are of negligible severity is enabled, the scanner reports CVEs that aren’t scored yet or have a negligible severity. Negligible severity vulnerabilities don’t pose a security risk, and are often designated with a status of "will not fix" or similar labels by the vendor. They are typically theoretical, require a very special (unlikely) situation to be exploited, or cause no real damage when exploited.

By default, this setting is disabled to strip unactionable noise from your scan reports.

6. Orchestration

Kubernetes and other orchestrators have control plane components implemented as containers. By default, Twistlock doesn’t scan orchestrator utility contianers for vulnerability and compliance issues.