Scan a Container Image
Use the Tenable Cloud Security CLI to scan a container image. After Tenable Cloud Security scans your container image, you can view the detailed scan results on the Tenable Cloud Security Console.
Before you begin:
-
Create a project in the Tenable Cloud Security Console to scan the container image.
Note: For accurate results in scan reports and dashboards, Tenable recommends to avoid scanning the same image from multiple projects. -
Ensure that the container image is available in the docker daemon.
To scan a container image from the Tenable Cloud Security CLI:
-
Run the tcs consec command in one of the following ways:
-
Without the configuration file
Copytcs consec image <image_name>:<tag> --project=<project_ID> --token=<API_token> --wait --retryInterval <poll_interval> --timeout <timeout_sec>
-
With the configuration file:
Copytcs consec image <image_name>:<tag> --config=<config_file_path> --wait --retryInterval <poll_interval> --timeout <timeout_sec>
Where:
-
<image_name>:<tag>: Image name with its tag. For example, alpine:latest.
-
<project_ID>: Project ID in Tenable Cloud Security. Use TCS_PROJECT_ID to set the project ID with an environment variable.
-
<API_token>: API authentication token you generate from Tenable Cloud Security. Use TCS_TOKEN to set the API token with an environment variable. For more information, see Generate API Tokens.
-
<config_file_path>: Specify the configuration file location that you downloaded from Tenable Cloud Security. This option accepts absolute or relative file paths (defaults to ./config, then checks <HOMEDIR>/.accurics/config). For more information, see Download Configuration File.
-
Use the following optional parameters to wait for the scan results:
-
--wait: If you specify this option, Tenable Cloud Security waits for the duration specified with the --timeout parameter for the scan to complete. If the scan completes within the specified duration, Tenable Cloud Security generates two types of CLI outputs:
-
Scan summary on the console: Includes the summary of total misconfigurations (violations) and total vulnerabilities.
-
JSON report: Detailed scan report that indicates the details about the misconfigurations and vulnerabilities.
For more information about these CLI outputs, see CLI Outputs for Container Image Scans.
-
-
--timeout <timeout_sec>: The maximum time (in seconds) to wait for the violation report of the scan. The default value is 300 seconds (5 minutes). To change the default, use this option with the --wait option.
-
--retryInterval <poll_interval>: The polling time interval (in seconds) while polling for the violation report of the scan. The default value is 5 seconds. Tenable Cloud Security checks whether the violation report is ready after every polling interval.
-
-
CLI Outputs for Container Image Scans
In addition to displaying the scan results on the Tenable Cloud Security user interface, Tenable Cloud Security generates a scan summary on the console and a JSON report when you scan container images. To generate these two CLI outputs, you must use the tcs consec image command with the --wait option. The JSON report can be additionally used as an artifact of a successful CI/CD pipeline run or as raw data for post-processing of the scan results.
Tenable Cloud Security generates the following two CLI outputs:
-
Scan summary on the console: Includes the summary of total misconfigurations (violations) and total vulnerabilities, categorized by severity.
CopyViolation Summary:
Policy Status : MONITOR_FAIL
Total Violations : 1
Enforced Violations : 0
More details : https://cloud.tenable.com/cns/issues/vulnerabilities?project=<project_id>
Total Count : 5
Distinct CVEs : 4
Highest CVSSv2 Score : 6.7
Highest CVSSv3 Score : 6.7
Highest VPR Score : 6.7
CRITICAL : 0
HIGH : 4
MEDIUM : 0
LOW : 0
More details : https://cloud.tenable.com/cns/issues/vulnerabilities?project=<project_id>
-
JSON report: Detailed scan report that indicates the details about the misconfigurations and vulnerabilities.
Note:Tenable Cloud Security generates the JSON report in the ${pwd}/report folder with the name tcs_image_scan_<project_id>.json.
The following is a sample JSON report:
Copy{
"schema": "application/vnd+tenable.consec.report.v1.0+json",
"scan_status": "FINISHED",
"scan": {
"asset_type": "image",
"asset_id": "9ab82761-51f5-5fc4-ae33-7a052905f439",
"scan_id": "d121c6de-ab7a-4929-ac33-72695ed9fb3c",
"project_id": "5edaba47-4185-4b2e-abf1-c97803df5928",
"asset": {
"name": "docker.io/library/influxdb:alpine",
"tag": "alpine",
"os": "linux",
"architecture": "arm64",
"built_at": "2023-06-15T03:03:03.448Z",
"last_updated": "2023-07-03T08:18:34.342021604Z",
"observation_source": "PIPELINE_IMAGE",
"exposed_ports": [
"8086/tcp"
],
"environment_variables": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"INFLUXDB_VERSION=2.7.1",
"INFLUX_CLI_VERSION=2.7.3",
"INFLUX_CONFIGS_PATH=/etc/influxdb2/influx-configs",
"INFLUXD_INIT_PORT=9999",
"INFLUXD_INIT_PING_ATTEMPTS=600",
"DOCKER_INFLUXDB_INIT_CLI_CONFIG_NAME=default"
],
"cmd": [
"influxd"
],
"entry_point": null,
"image_labels": [],
"imported_at": "2023-06-29T17:32:38.258Z",
"image_id": "sha256:c0bc4371bc3a1e0c5f6c6e27e356724cf765e022bfe3984572e6960e4c55dbf5",
"digest": "sha256:c0bc4371bc3a1e0c5f6c6e27e356724cf765e022bfe3984572e6960e4c55dbf5",
"registry_url": ""
}
},
"policies": {
"summary": {
"status": "ENFORCE_FAIL",
"enforce_failed_count": 1,
"total_failed_count": 1
},
"violations": [
{
"id": "",
"name": "test-custom-policy-group",
"remediation": "test",
"policy_mode": "ENFORCE",
"severity": "HIGH"
}
]
},
"vulnerabilities": {
"summary": {
"total_count": 5,
"distinct_cve_count": 4,
"max_cvss_v2_score": 7.8,
"max_cvss_v3_score": 7.8,
"max_vpr_score": 6.7,
"severity_breakdown": {
"critical": 0,
"high": 4,
"medium": 0,
"low": 0
}
},
"findings": [
{
"plugin_id": 400061,
"vpr": {
"score": 2.2
},
"cvss_v2": {
"base_score": 5,
"base_vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"cvss_v3": {
"base_score": 5.3,
"base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"description": "There are packages installed that are affected by a vulnerability referenced in the following CVE:\n\n - Applications that use a non-default option when verifying certificates may be vulnerable to an attack from\n a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are\n silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A\n malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent\n policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled\n by passing the `-policy' argument to the command line utilities or by calling the\n `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0465)",
"family": "Alpine Linux Local Security Checks",
"severity": "HIGH",
"cve_ids": [
"CVE-2023-0465"
],
"published_date": "2023-03-21T00:00:00Z",
"affected_packages": [
{
"name": "libcrypto3",
"version": "3.0.9-r1"
},
{
"name": "libssl3",
"version": "3.0.9-r1"
}
],
"remediation": "Upgrade the affected packages."
},
{
"plugin_id": 400067,
"vpr": {
"score": 3.6
},
"cvss_v2": {
"base_score": 5.4,
"base_vector": "CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C"
},
"cvss_v3": {
"base_score": 5.9,
"base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"description": "There are packages installed that are affected by a vulnerability referenced in the following CVE:\n\n - Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that\n could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use\n the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is\n usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform\n will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g.\n 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash\n which results in a denial of service. If an attacker can control the size and location of the ciphertext\n buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is\n fairly unlikely making this issue a Low severity one. (CVE-2023-1255)",
"family": "Alpine Linux Local Security Checks",
"severity": "HIGH",
"cve_ids": [
"CVE-2023-1255"
],
"published_date": "2023-04-20T00:00:00Z",
"affected_packages": [
{
"name": "libcrypto3",
"version": "3.0.9-r1"
},
{
"name": "libssl3",
"version": "3.0.9-r1"
}
],
"remediation": "Upgrade the affected packages."
},
{
"plugin_id": 400058,
"vpr": {
"score": 4.4
},
"cvss_v2": {
"base_score": 7.8,
"base_vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"
},
"cvss_v3": {
"base_score": 7.5,
"base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"description": "There are packages installed that are affected by a vulnerability referenced in the following CVE:\n\n - A security vulnerability has been identified in all supported versions of OpenSSL related to the\n verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit\n this vulnerability by creating a malicious certificate chain that triggers exponential use of\n computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy\n processing is disabled by default but can be enabled by passing the `-policy' argument to the command line\n utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)",
"family": "Alpine Linux Local Security Checks",
"severity": "HIGH",
"cve_ids": [
"CVE-2023-0464"
],
"published_date": "2023-03-22T00:00:00Z",
"affected_packages": [
{
"name": "libcrypto3",
"version": "3.0.9-r1"
},
{
"name": "libssl3",
"version": "3.0.9-r1"
}
],
"remediation": "Upgrade the affected packages."
},
{
"plugin_id": 400069,
"vpr": {
"score": 6.7
},
"cvss_v2": {
"base_score": 6.8,
"base_vector": "CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C"
},
"cvss_v3": {
"base_score": 7.8,
"base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"description": "There are packages installed that are affected by a vulnerability referenced in the following CVE:\n\n - ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-\n relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo\n or reached via the TERMINFO or TERM environment variable. (CVE-2023-29491)",
"family": "Alpine Linux Local Security Checks",
"severity": "HIGH",
"cve_ids": [
"CVE-2023-29491"
],
"published_date": "2023-04-14T00:00:00Z",
"affected_packages": [
{
"name": "ncurses-terminfo-base",
"version": "6.3_p20221119-r1"
},
{
"name": "ncurses-libs",
"version": "6.3_p20221119-r1"
}
],
"remediation": "Upgrade the affected packages."
},
{
"plugin_id": 144938,
"vpr": {
"score": 0
},
"cvss_v2": {
"base_score": 0,
"base_vector": ""
},
"cvss_v3": {
"base_score": 0,
"base_vector": ""
},
"description": "This plugin returns information about a Frictionless Assessment scan. This plugin is only available to Frictionless Assessment.",
"family": "Misc.",
"severity": "NONE",
"cve_ids": [],
"published_date": "1970-01-01T00:00:00Z",
"affected_packages": [
{
"name": "",
"version": ""
}
],
"remediation": "Upgrade the affected packages."
}
]
}
}
What to do next:
On the Tenable Cloud Security Console, go to the Findings page. Tenable Cloud Security shows the vulnerabilities detected for the scanned image. For more information, see View Vulnerabilities.