0
2.14.4
Zurich, Yokohama, Xanadu, Washington DC, Vancouver
Vulnerability Response and Configuration Compliance for Containers helps organizations respond to container vulnerabilities quickly and efficiently by connecting security and application teams, and providing real-time visibility into your security posture. Container Vulnerability Response connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading container security vendors to give your teams a single platform for a response that can be shared between security and application teams.
The Vulnerability Response and Configuration Compliance for Containers application includes the following capabilities:
- Ability to refer to a Docker image as a configuration item (CI) from the container vulnerable items (CVITs).
- Provide runtime context such as Kubernetes Services, Clusters, Namespaces, and cloud account metadata for security teams to make decisions on assignment, remediation target, risk score calculation, etc.
- Assignment rules to automatically assign container vulnerabilities to the application teams based on Docker Image labels, Kubernetes cluster/namespace/service information, cloud account ID, cloud account name, cloud region, cloud provider, etc.
- Ability to populate base OS image vulnerable items separately to facilitate independent tracking of these vulnerabilities.
- Provide flexibility to configure granularity of container vulnerable items to track at Docker image level, cluster level, service level, etc.
- Automatically detect new versions of container images being deployed and close vulnerabilities reported on older versions.
- Exception management features for remediation owners to request for exceptions, multi-level approval workflow, and exception rules to automatically defer container vulnerable items.
- PA dashboard, which provides visibility into vulnerability and remediation trends.
New:
Enhancements support more scanner data on imports. Namespaces and hierarchy cluster are considered and populated in the discovered container image [sn_vul_container_image] table if this data is imported.
Changed:
With enhancements to refine state management logic, you might see overall improvements in the following areas:
- State roll-down from remediation tasks (RTs) to findings and roll-up from findings to RTs for all modules.
- Handling of mixed states such as 'Deferred' and 'Closed'.
- Closing RTs in sub-states such as 'In-Review'.
- Reopening RTs based on the 'Assigned To' field.
- Aligning false positive transitions with scanner results as the source of truth to help reduce manual effort and clarify task ownership.
Fixed:
- State changes in vulnerability findings are rolled up correctly to their associated container vulnerable items.
- A cross-scope access error that was triggered when reopening closed container vulnerable items.
- An issue that prevented saving images with the same name but different IDs.
The following application for Vulnerability Response and Configuration Compliance for Containers application must be installed and activated.
- Vulnerability Response
Permissions and roles
- Roles required:
- For installation: System Admin (admin)
- For configurations: Container Vulnerability Admin (sn_vul_container.vulnerability_admin) for Container Vulnerability Response