Container Image Targets

Use Oracle Cloud Infrastructure Vulnerability Scanning Service to create and manage container image targets and to assign them to container image scan recipes. A container image target is a collection of repositories in Container Registry that you want scanned for security vulnerabilities.

Note

You can configure image scanning and view results using either:

Container Registry lets you share and manage container images (such as Docker images) by storing them in repositories. A repository is a named collection of related images that are grouped for convenience. During the deployment of an application to a Kubernetes cluster, one or more images can be pulled from a repository to start containers on the cluster.

When you create a new repository in Container Registry, image scanning is enabled by default on the repository. Every time an image is pushed to the repository, it is scanned for security vulnerabilities. Container Registry automatically rescans any images in the repository that have changed since the previous scan. You can also disable image scanning on a particular repository.

You have two options when selecting the repositories for a target.

  • Scan one or more specific repositories within a compartment.
  • Scan all repositories within a compartment and its subcompartments.

If you create a target for the root compartment, then all repositories in the entire tenancy are scanned.

When a target is created, the Scanning service scans a specified initial number of images in the target repositories (one image by default). After this initial scan, the Scanning service also scans any new image that is pushed to the target.

The Scanning service saves the results for an image repository in the same compartment as the repository's Scanning target.

Consider the following example.

  • The repository MyRepo in Container Registry is in CompartmentA.
  • MyRepo is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyRepo are in CompartmentB.

Required IAM Policy for Image Scanning

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you’re supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

Grant the Scanning service permission to pull images from Container Registry.

To grant this permission for all images in the entire tenancy:

allow service vulnerability-scanning-service to read repos in tenancy
allow service vulnerability-scanning-service to read compartments in tenancy

To grant this permission for all images in a specific compartment:

allow service vulnerability-scanning-service to read repos in compartment <compartment-name>
allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>

For more information and examples, see:

Creating a Container Image Target

Use the Console to create a container image scan target.

At least one container image scan recipe must be in your tenancy before creating a target. See Container Image Scan Recipes.

Give the Scanning service permission to pull images from Container Registry before creating a target. See Required IAM Policy for Image Scanning.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment in which you want to create the target.
    Note

    The repositories that you assign to this target can be in a different compartment than the target.
  3. Click the Container image tab.
  4. Click Create.
  5. Enter a Name and Description for the target.

    Avoid entering confidential information.

  6. Select a Scan recipe for the target.
  7. Select the Repository compartment that contains the Container Registry repositories you want to scan.
  8. Choose repositories for this target.
    • All repositories in the selected target compartment and its subcompartments
    • Selected repositories in the selected target compartment - Select individual repositories.

    You can't create a target with a repository that is already specified in another target.

  9. (Optional) Assign tags to the target. Click Show Advanced Options.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you aren’t sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

  10. Click Create.

After creating a target, the Scanning service checks the images in the selected repositories for security vulnerabilities. You can view the results of these scans in reports:

You can also use Cloud Guard to view the results of your scans. See Scanning with Cloud Guard.

Updating a Container Image Target

Use the Console to update an existing container image scan target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the Container image tab.
  4. Click the name of the target.
  5. Click Edit.
  6. Modify any of these settings for your target.
    • Name
    • Description
    • Scan recipe
    • Repository compartment

    Avoid entering confidential information.

  7. Update the repositories for this target.
    • All repositories in the selected target compartment and its subcompartments
    • Selected repositories in the selected target compartment - Select individual repositories.

    You can't update a target with repository that is already specified in another target.

  8. Click Save changes.
  9. (Optional) Click Tags if you want to manage the tags for this target.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you aren’t sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

Viewing the Repositories for a Container Image Target

Use the Console to view the repositories in Container Registry that are associated with an existing container image scan target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the Container image tab.
  4. Click the name of the target.

    The Repositories table displays.

  5. Click the link for a specific repository to view its details.

Moving a Target to a Different Compartment

Use the Console to move a scan target from one compartment to another.

Moving a target doesn’t also move the cloud resources (compute instances, for example) in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the tab for the type of target that you want to move.
    • Hosts (compute)
    • Container image
  4. Click the name of the target.
  5. Click Move Resource.
  6. Choose the destination compartment.
  7. Click Move Resource.

After you move the target to the new compartment, inherent policies apply immediately and affect access to the target through the Console. For more information, see Managing Compartments.

Deleting a Target

Use the Console to delete a target.

Deleting a target doesn’t delete the cloud resources (compute instances, for example) in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the tab for the type of target that you want to delete.
    • Hosts (compute)
    • Container image
  4. Click the name of the target.
  5. Click Delete.
  6. When prompted for confirmation, click Delete.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Command Reference.

To list all container image scan targets in a compartment:

oci vulnerability-scanning container scan target list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning container scan target list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific container image scan target:

oci vulnerability-scanning container scan target get --container-scan-target-id <target_ocid>

For example:

oci vulnerability-scanning container scan target get --container-scan-target-id ocid1.vsscontainerscantarget.oc1..exampleuniqueID

To create a container image scan target:

oci vulnerability-scanning container scan target create --display-name <name> --compartment-id <create_in_compartment_ocid> --container-scan-recipe-id <recipe_ocid> --target-registry '{"type": "OCIR", "url": "https://<region_key>.ocir.io", "compartmentId": "<repository_compartment_ocid>", "repositories": ["<repository_name>"]}'
  • <region_key> is the key for the Container Registry region that you're using. See Availability by Region.

  • For repositories, you can provide a list of repository names. If repositories isn’t specified, then all repositories in the compartment are scanned.

For example:

oci vulnerability-scanning container scan target create --display-name "MyTarget" --compartment-id ocid1.compartment.oc1..exampleuniqueID --container-scan-recipe-id ocid1.vsscontainerscanrecipe.oc1..exampleuniqueID --target-registry '{"type": "OCIR", "url": "https://syd.ocir.io", "compartmentId": "ocid1.compartment.oc1..exampleuniqueID", "repositories": ["myrepo"]}'