Container Image Scanning, Signing and Verification

You can now enable scanning of container images stored in Oracle Cloud Infrastructure Registry (OCI Registry) for security vulnerabilities published in the publicly available Common Vulnerabilities and Exposures (CVE) database. Once repository scanning is enabled, the OCI Vulnerability Scanning service will scan any images you push into the repository. For repositories that already have images, the four most recently pushed images will be scanned for vulnerabilities. Repositories that have scanning enabled will be automatically rescanned when new vulnerabilities are added to the list of threats. For every scanned image, you can view the scan results for the last thirteen months, the risk level for each scan, and the description of each vulnerability, along with the link to the CVE database.

To ensure images are not modified after being pushed, you can now sign an image in OCI Registry using master encryption keys stored in OCI Vault. You can view signatures and verify the image signatures have not changed, ensuring the integrity of the image has not been compromised.

You can also configure OCI Container Engine for Kubernetes with a cluster-specific policy to allow only container images in OCI Registry that have been signed by particular master encryption keys to be deployed to a cluster. Images without the correct signature will be denied.

For more information see: