Lacework Console - Container Vulnerability
View Vulnerabilities
The Container Vulnerabilities page contains open vulnerabilities and previous vulnerabilities that were fixed. To navigate to this page, select Vulnerabilities > Containers in the Lacework Console.
Lacework only reports on a container image if it has permission to access the image.
Scans: Active Images
Select Scans: Active Images from the drop-down list to view images and vulnerabilities that are found on active containers.
- If you have a Lacework agent installed with a container registry integration assessing the image, the image can then be determined as active or inactive.
- If you have an Agentless Workload Scanning integration, the image can then be determined as active or inactive (as containers are scanned as part of the Agentless integration).
Scans: All Images
Select Scans: All Images from the drop-down list to view images and vulnerabilities that have been found through CI/CD workflows (for example: Kubernetes Admission Controller), registry integrations, agents and Agentless Workload Scanning integrations.
Statistics / KPIs
When Scans: Active Images is selected, statistics are shown that display the following data:
| Statistic/KPI | Description |
|---|---|
| Scanned Active Images | Displays the number of images that are actively being used by containers. Active image data is persisted by Lacework during daily re-evaluations, and reports show when an assessment was last run on an image. |
| Unscanned Active Images | Displays the number of images that are actively being used by containers, but have not been scanned by Lacework. Active image data is persisted by Lacework during daily re-evaluations, and reports show when an assessment was last run on an image. |
| Image Scanning Errors | Displays the number of errors that have occurred during scans of images in integrated repositories. |
| Registry Integration Errors | Displays the number of errors seen when Lacework has tried to integrate with a container registry. |
| Images Monitored by Code Aware Agent | Number of container images on which some package activity was detected within the last 24 hours by a Lacework Agent with active package detection enabled / Number of scanned active images. |
Click on any of these statistics (except Registry Integration Errors and Images Monitored by Code Aware Agent) to view the Container Image Information in the Containers dashboard.
Tabs
By default, the list displays vulnerabilities that are grouped by image registry. To change how the list groups vulnerabilities, select a different tab:
- Image ID
- CVE
- Image Registry
- Image Repo
- Package Name
- Package Namespace
Search
Use the search function at the top of the page to find specific text in any of the details available on the page. You can also click the search field to select values and operators to filter your search (these vary depending on the tab you have selected).
Click a field from the search dropdown to apply an operator that helps refine your search (these vary depending on the type of filter).
Filters
You can use the following methods to refine the list of vulnerabilities displayed:
- Use the search function at the top of the page to find specific text in any of the details for all images.
- Click the filter dropdowns along the top of the page, select your desired matches and then click Show results to make them active.
- To remove an active filter, deselect the checkbox in the corresponding filter dropdown and then click Show results.
- Click Reset in the filter dropdowns or in the row of filters to reset all filters.
- You can also click on the tags in the vulnerabilities list to use them as filters.
Resource Group
Display vulnerability assessment results for the selected resource groups.
Fixability
This filter functions as an AND operator when paired with one or more Severity levels.
For example, Fixability = Yes and Severity = Critical lists images with at least one CVE that is critical and fixable.
Image ID, Image Registry, and Image Repo tab fixability filter definitions:
- Yes - The images listed contain fixable packages for the vulnerabilities found.
- No - The images listed contain unfixable packages for the vulnerabilities found.
Severity
This filter functions as an AND operator when paired with one or more Fixability levels.
For example, Severity = Critical and Fixability = Yes lists images with at least one CVE that is critical and fixable.
Use this filter in the Image ID, Image Registry, and Image Repo tabs to filter results based on the severity of the vulnerabilities found in the container images. Filter based on the following severities:
- Critical
- High
- Medium
- Low
- Info
Container Privilege
Image ID, Image Registry, and Image Repo tabs: Available for Scans: Active Images only.
Image ID, Image Registry, and Image Repo tab container privilege filter definitions:
- Privileged - One or more privileged containers are using the images listed.
- Not Privileged - No privileged containers are using the images listed.
CVE tab: Available for both Scans: Active Images and Scans: All Images.
CVE tab container privilege filter definitions:
- Privileged - One or more privileged containers are affected by the CVEs listed.
- Not Privileged - No privileged containers are affected by the CVEs listed.
Package Name and Package Namespace tabs: Available for Scans: All Images only.
Package Name and Package Namespace tab container privilege filter definitions:
- Privileged - One or more privileged containers are affected by the CVEs listed.
- Not Privileged - No privileged containers are affected by the CVEs listed.
Policy Assessment
In the Image ID, Image Registry, and Image Repo tabs, filter for container images that either:
- Pass - No container policy violations were found on the image in the latest assessment.
- Fail - One or more container policy violations were found on the image in the latest assessment.
Scanner Type
Internet Exposure
Image ID, Image Registry, and Image Repo tabs: Scans: Active Images only.
The vulnerability's internet exposure value is derived from the Exposure Polygraph / Attack Path Analysis feature.
Image ID, Image Registry, and Image Repo tab internet exposure filter definitions:
- Yes - Matches all images with at least one active container that have been determined as exposed to the internet during the latest Agentless or Agent scan.
- No - Matches all images with at least one active container that have been determined as not exposed to the internet during the latest Agentless or Agent scan.
- Unknown - Matches all all images with at least one active container where the internet exposure status could not be determined.
Each image assessment contains tags for the internet exposure status and when the status was last updated. The internet exposure status depends on the last update in a given time range (including up to 24 hours prior to the start time).
Package Status
Scans: Active Images only
This filter relates to our active package detection feature.
Image ID, Image Registry, and Image Repo tab package status filter definitions:
- Active - The Lacework Agents monitoring running instances of the container image detected that a process accessed a file in the package in the last 30 days.
- Inactive - The Lacework Agents monitoring running instances of the container image did not detect any process accessing a file in the package in the last 30 days.
- Unknown or N/A - Running instances of the container image(s) are not monitored by a Lacework Agent with active package detection enabled. Therefore, the package status cannot be determined.
CVE, Package Name, and Namespace tab package status filter definitions:
- Active - The Lacework Agents (monitoring at least one instance running the container image) detected that a process accessed a file in the vulnerable package in the last 30 days.
- Inactive - The Lacework Agents monitoring all running instances of the container image did not detect any process accessing a file in the vulnerable package in the last 30 days.
- Unknown or N/A - Running instances of the container image(s) shown for this vulnerability are not monitored by Lacework Agents with active package detection enabled. Therefore, the package status for this vulnerability cannot be determined.
Monitored by CAA
Filter for running instances of container images that are monitored by Lacework Agents with active package detection enabled using this filter in the Image ID, Image Registry, and Image Repo tabs.
Filter definitions:
- Yes - Running instances of the container image are monitored by a Lacework Agent with active package detection enabled, and the agent detected some package activity on the container image within the last 24 hours.
- No - This can be either of the following:
- Running instances of the container image are monitored by a Lacework Agent with active package detection enabled, but the agent did not detect any package activity on the container image within the last 24 hours.
- Running instances of the container image are monitored by a Lacework Agent, but active package detection is not enabled on the agent.
- Running instances of the container image are not being monitored by a Lacework Agent.
Build ID
Scans: All Images only
Filter for build IDs using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: includes) to help constrain your search.
Build Plan Name
Scans: All Images only
Filter for build plan names using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: excludes) to help constrain your search.
CVE
Filter for certain vulnerability IDs (CVEs) using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: includes) to help constrain your search.
Hostname
Filter for certain hostnames using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: matches) to help constrain your search.
Image ID
Filter for certain image IDs using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: does not match) to help constrain your search.
Image Registry
Filter for certain image registries using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: starts with) to help constrain your search.
Image Repository
Filter for certain image repositories using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: excludes) to help constrain your search.
Image Tag
Filter for certain image tags using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: includes) to help constrain your search.
User
Image ID, Image Registry, and Image Repo tab: Scans: Active Images only.
Filter for certain users (that are running containers) using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: excludes) to help constrain your search.
Pod Namespace
Image ID, Image Registry, and Image Repo tab: Scans: Active Images only.
Filter for certain Kubernetes pod namespaces using this filter in the Image ID tab.
The list of available namespaces is retrieved by Lacework Agents monitoring active containers.
K8s Cluster
Image ID, Image Registry, and Image Repo tab: Scans: Active Images only.
Filter for Kubernetes cluster names using this filter in the Image ID, Image Registry, and Image Repo tabs.
The list of available cluster names is retrieved by Lacework Agents monitoring active containers.
Machine Tags
Image ID, Image Registry, and Image Repo tab: Scans: Active Images only.
Filter for machine tags on nodes the containers run on using this filter in the Image ID, Image Registry, and Image Repo tabs.
The list of available machine tags is retrieved by Lacework Agents monitoring active containers.
Machine tags are metadata associated with the node (for example: AWS Instance metadata).
Package Name
Filter for package names using this filter in the CVE, Package Name, and Package Namespace tabs. Apply an operator (for example: starts with) to help constrain your search.
When searching for package names on images, the results contain both vulnerable and non-vulnerable packages.
Package Namespace
Filter for package namespaces using this filter in the CVE, Package Name, and Package Namespace tabs. Apply an operator (for example: ends with) to help constrain your search.
This can be both operating system and language library namespaces.
Package Type
Filter by package type using this filter in the CVE, Package Name, and Package Namespace tabs. Either Operating System or Library.
Package Version
Filter for certain package versions using this filter in the Image ID, Image Registry, and Image Repo tabs. Apply an operator (for example: includes) to help constrain your search.
Affected Version
Filter for affected versions (of packages) using this filter in the CVE, Package Name, and Package Namespace tabs. Apply an operator (for example: starts with) to help constrain your search.
Fixed Version
Filter for fixed versions (of packages) using this filter in the CVE, Package Name, and Package Namespace tabs. Apply an operator (for example: includes) to help constrain your search.
Current Version
Filter for current versions (of packages) using this filter in the CVE, Package Name, and Package Namespace tabs. Apply an operator (for example: excludes) to help constrain your search.
Exploit Available
Filter to determine whether there is a public exploit available for a vulnerability.
Image ID, Image Registry, and Image Repo tab: When set to Yes, the images displayed have at least one vulnerability with a public exploit available.
CVE, Package Name, and Package Namespace tab: When set to Yes, the vulnerabilities displayed have a public exploit available.
CVSS Score
Filter for the Common Vulnerability Scoring System (CVSS) score of a vulnerability.
Select a minimum and maximum range between 0 and 10 to apply the filter. Enter the same number for both minimum and maximum to only filter for that number.
Image ID, Image Registry, and Image Repo tab: The images displayed contain at least one vulnerability within the CVSS score range specified.
CVE, Package Name, and Package Namespace tab: The vulnerabilities displayed are within the CVSS score range specified.
CVSS Vectors
Filter for Common Vulnerability Scoring System (CVSS) vectors relating to a vulnerability using this filter in the CVE, Package Name, and Package Namespace tabs.
The vectors help determine the exploitability, scope, and impact of the vulnerability. Each vector is individually filterable with contextual options.
Remote attack vector
Describes the conditions an attacker must meet to reach the vulnerable component and exploit the vulnerability.
Available options (Local and Physical are not measured in this context):
- Adjacent Network - The attacker must have access to the same local area network (LAN) as the targeted system to exploit the vulnerability.
- Network - The vulnerability can be exploited remotely over a network.
Learn more about attack vectors here.
Attack complexity
Measures the level of complexity required for an attacker to exploit the vulnerability.
Available options:
- High - The vulnerability is difficult to exploit, requiring specialized knowledge, sophisticated tools, or a complex set of conditions to be met before the attack can succeed.
- Low - The vulnerability can be easily exploited, typically with little or no interaction from the attacker.
Learn more about attack complexity here.
Privileges required
Indicates the privileges an attacker needs to exploit the vulnerability.
Available options:
- Yes - The attacker needs either administrative/root-level or non-administrative privileges to exploit the vulnerability.
- No - The vulnerability can be exploited without any special privileges.
Learn more about required privileges here.
User interaction
Assesses whether user interaction is required for the vulnerability to be exploited.
Available options:
- Required - A successful exploit of the vulnerability requires interaction from either an authenticated user or an unauthenticated user.
- None - The vulnerability can be exploited without any interaction from any user.
Learn more about user interaction here.
Scope
Defines the extent of impact on the vulnerable component and surrounding components.
Available options:
- Changed - The vulnerability's exploitation can affect resources beyond the vulnerable component.
- Unchanged - The vulnerability's exploitation does not impact resources beyond the vulnerable component.
Learn more about scope here.
Availability impact
Assesses the potential impact on service/application availability if the vulnerability is exploited.
Available options:
- Yes - The vulnerability's exploitation can either cause a partial impact or completely disrupt the availability of the affected service or application.
- No - The vulnerability's exploitation does not have any impact on the availability of the affected service or application.
Learn more about availability impact here.
Confidentiality/Integrity impact
Evaluates the potential impact on confidentiality and data integrity if the vulnerability is exploited.
Available options:
- Yes - The vulnerability's exploitation can cause a partial impact or can completely compromise the confidentiality of sensitive data or the integrity of data.
- No - The vulnerability's exploitation does not have any impact on the confidentiality of sensitive data or the integrity of data.
Learn more about confidentiality impact here and integrity impact here.
Time Range
To change the time period, select a different one from the drop-down or use the horizontal arrows to move to the next/previous period. Select from the following past periods: hour, day, three days, week, month, or a Custom range.
Only information found during assessment of the specified date range is reported. For example, if 9 days ago a container image was removed from a container repository in the registry and the specified date range is 7 days, this container image is not listed in the table.
Save View
When the page displays your desired vulnerability data, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.
Charts
Open Vulnerabilities
The chart depicts open vulnerabilities. Hover your mouse over the Open vulnerabilities chart to see the vulnerabilities by filtered severity for that date. Hover over the filter icon to see the active filters that are influencing the chart.
The Open vulnerabilities chart always displays a minimum of one week's results even if the time range is set to less than a week. You can go back up to three months from today's date.
Charts in the Image ID, Registry, and Repo Tabs
If you select the Image ID, Registry, or Repo tab, a sunburst chart appears in the row for each image name. You can click on the image name/ID for more details. A detailed sunburst chart is displayed on the CVE tab.
The numbers of vulnerabilities detailed in the sunburst chart represent only the unique vulnerabilities that Lacework discovers. As one vulnerability can affect multiple packages, the total vulnerabilities in the list can be greater.
Additionally, active filters specific to packages (such as package name, fixed version, etc) will not influence this chart.
Vulnerabilities List
The vulnerabilities list is below the overview statistics and Open Vulnerabilities chart. The information displayed depends on how the vulnerabilities are grouped.
The vulnerability list allows you to Refresh data, Download CSV, and sort.
Click a tag link to reload the vulnerability list with the tag as the filter.
Download CSV
Image IDs with zero vulnerabilities are not listed in the CSV report.
There is a limit of 500,000 rows per report.
Click the Download icon to generate a vulnerability report in CSV format.
The following options are available depending on which tab is selected:
- When the CVE, Package Name, or Package Namespace tab is selected, the Download option provides the Simplified CSV.
- When the Image ID, Image Registry, or Image Repo tab is selected, choose from Simplified or Detailed for your CSV report.
Once you have selected the report type, click Start the download. A popup appears once the report is ready to download. You can also view available and in-progress downloads on the Downloads page.
Some reports are compressed in Gzip format, you can decompress them using the following command:
gzip -d 'Container Vulnerabilities Simplified CSV.csv.gz'
Do not use tar as the format will be unrecognized.
Simplified CSV
Your active filters or tags control which Image IDs or CVEs are listed in the CSV report.
Both types list when the last assessment was performed on the Image ID/CVE.
Image ID, Image Registry, and Image Repo tab: The CSV is indexed by LW Risk Score and provides details about the image and a summary on the number vulnerabilities found (categorized into severity and fixability).
CSV Column Description RISK_SCORE LW Risk Score for the image. RISK_INFO Lacework internal. IMAGE_REGISTRY The image registry. IMAGE_REPO The image repository. IMAGE_REPOS If the image is found in multiple repositories, they are listed here. IMAGE_TAGS The image tags. ALL_IMAGE_TAGS If the image is found in multiple repositories, the image tags are listed here. NUM_VULNERABILITIES_SEVERITY_1 Number of Critical vulnerabilities found on the image. NUM_VULNERABILITIES_SEVERITY_2 Number of High vulnerabilities found on the image. NUM_VULNERABILITIES_SEVERITY_3 Number of Medium vulnerabilities found on the image. NUM_VULNERABILITIES_SEVERITY_4 Number of Low vulnerabilities found on the image. NUM_VULNERABILITIES_SEVERITY_5 Number of Info vulnerabilities found on the image. NUM_VULNERABILITIES_FIX_SEVERITY_1 Number of Critical and Fixable vulnerabilities found on the image. NUM_VULNERABILITIES_FIX_SEVERITY_2 Number of High and Fixable vulnerabilities found on the image. NUM_VULNERABILITIES_FIX_SEVERITY_3 Number of Medium and Fixable vulnerabilities found on the image. NUM_VULNERABILITIES_FIX_SEVERITY_4 Number of Low and Fixable vulnerabilities found on the image. NUM_VULNERABILITIES_FIX_SEVERITY_5 Number of Info and Fixable vulnerabilities found on the image. START_TIME The start time of the latest scan of the image. IMAGE_SCAN_STATUS Whether the image was successfully scanned or not. IMAGE_SCAN_ERROR_MSG Any error message relating to an unsuccessful scan of the image. IMAGE_STATUS Whether the image has been found running on an active container or not. IMAGE_ID The SHA-256 identifier of the image. EVAL_GUID Lacework internal. IMAGE_CREATED_TIME When the image was created in the repository. IMAGE_DIGEST The SHA-256 digest of the image. IMAGE_SIZE The image size in bytes. ENVIRONMENT_TAGS Tags of the environment where the scan took place (for example, the Inline Scanner host). NUM_FIXES Number of fixable vulnerabilities found on the image. NUM_EXCEPTION Number of vulnerability exceptions applied to the image. POLICY_STATUS Whether there is a policy violation on the image or not. REQUEST_SOURCE Scanner Type. CAA_ENABLED Whether active package detection is enabled or disabled on the Lacework agents monitoring running instances of the container image.
CVE, Package Name, and Package Namespace tab: The CSV is indexed by Affected images and provides details on the vulnerability and affected package.
CSV Column Description Age of public exploit The age of the public exploit related to the vulnerability. Affected images The number of unique images affected by the vulnerability. Vulnerability ID The identifier for the vulnerability. PACKAGE Details about the vulnerability for the affected package. PACKAGE_TAGS Same as PACKAGE. LAST ASSESSMENT The time and date when the vulnerability was last found on an affected image during a scan. Impact Score LW Risk Score for the vulnerability. Exploit available Whether there is a public exploit available for this vulnerability or not. Age of public exploit tooltip The date that the public exploit was published for this vulnerability in MM/DD/YY format.
Detailed CSV
Your active filters or tags control which Images are listed in the CSV report.
The Detailed CSV is indexed by Image ID and lists details on all the CVEs applicable to the Image ID in each row.
| CSV Column | Description |
|---|---|
| IMAGE_ID | The SHA-256 identifier of the image. |
| VULN_ID | The identifier for the vulnerability. If \N is displayed, then the package version on the specified filepath has no vulnerability associated with it. |
| SEVERITY | The severity of the vulnerability. |
| STATUS | Status of the vulnerability: EXCEPTION = Vulnerability Exception applied. VULNERABLE = No Vulnerability Exception applied. GOOD = No Vulnerability found for the package version on the specified filepath. |
| FIX_AVAILABLE | Whether a fix is available for the vulnerability: 1 = Fix available. 0 = No fix available. |
| PACKAGE_NAME | The package name where the vulnerability was found. |
| PACKAGE_NAMESPACE | The package namespace where the vulnerability was found. |
| PACKAGE_FILEPATH | The package file path on the host (if available). |
| CURRENT_VERSION | The current version of the affected package. |
| FIXED_VERSION | The fixed version of the affected package. |
| IMAGE_REGISTRY | The image registry. |
| IMAGE_REPO | The image repository. |
| IMAGE_REPOS | If the image is found in multiple repositories, they are listed here. |
| IMAGE_DIGEST | The SHA-256 digest of the image. |
| IMAGE_TAGS | The image tags. |
| ALL_IMAGE_TAGS | If the image is found in multiple repositories, the image tags are listed here. |
| NDV_CONTAINERS | Number of active containers using the image. |
| INTERNET_EXPOSURE | Whether one or more containers using this image have been exposed to the internet or not. |
| INTERNET_EXPOSURE_LAST_UPDATED | The last time internet exposure was determined on any containers using this image. |
| RISK_SCORE | LW Risk Score for the image. |
| IMAGE_SCAN_TIME | Lacework internal. |
| IMAGE_CREATED_TIME | When the image was created in the repository. |
| IMAGE_SIZE | The image size in bytes. |
| IMAGE_SCAN_STATUS | Whether the image was successfully scanned or not. |
| IMAGE_SCAN_ERROR_MSG | Any error message relating to an unsuccessful scan of the image. |
| POLICY_STATUS | Whether there is a policy violation on the image or not. |
| PRIVILEGED | Container Privilege: 1 = Privileged. 0 = Not privileged. |
| ENVIRONMENT_TAGS | Tags of the environment where the scan took place (for example, the Inline Scanner host). |
| REQUEST_SOURCE | Scanner Type. |
| EVAL_GUID | Lacework internal. |
| START_TIME | The start time of the latest scan of the image. |
| PACKAGE_STATUS | Whether the package status was determined as active in the last month or not. |
| PACKAGE_LAST_ACTIVE | The date and time of when the package was last determined as active (if it was determined to be active in the last month). |
Image ID, Registry, and Repo Tab View
The Image ID. Registry, and Repo tabs allow you to sort by Image Risk, Image Creation Date, Image Repository, Active Containers, or CVE Severity.
When these tabs are selected, the list displays the following information:
- Image name
- Image risk(default)
- Chart displaying the number of vulnerabilities found on the image.
Image Assessment Drawer
Click an image name to display detailed assessment results (click the < icon to expand this view to full screen).
Image Assessment - Details
The Details tab contains descriptive information about the image. Click a detail to apply the filter to your list of Vulnerabilities. Click the Image ID tag to filter all active containers with this image.
Image Assessment - CVE (default)
The CVE tab displays a list of vulnerabilities for the image with additional information in columns. This table lets you refresh data, download CSV/PDF, filter, add/remove columns, and search.
Click the filter icon to view the active filters on the table.
You can search for, add, and remove filters to adjust the list of vulnerabilities displayed in the table.
The available columns in the CVE tab are listed below:
| Column | Description |
|---|---|
| Vulnerabilities | Displays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the More Info icon  to view additional details about the CVE. If there is a CVSS v3 score available for the vulnerability, information derived from CVSS Metrics will also be displayed (such as Attack Vector, Access Complexity, etc). In the More Info window, click the vulnerability ID to open an external link to the tracker page for the vulnerability (if one is available). |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSSv3 or CVSSv2 scores (in that order of precedence). |
| CVSS Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. |
| Vulnerability impact | Displays the Lacework risk score for the vulnerability. |
| Package Name | Displays the operating system package or language package that the vulnerability was found in. |
| Current Version | Displays the current version of the package found on the image. |
| Package status | Whether the package was determined as active in the last month or not. |
| Package last active | The date and time of when the package was last determined as active (if it was determined to be active in the last month). |
| Fix Version | Displays the version of the package where the issue is fixed when a patch is available. |
| Introduced in Layer | Displays the Docker file command that applied the package onto the current Docker image. Each Docker container image is made up of a series of layers and each layer is the result of a command. |
| Image Size (hidden by default) | The size of the image affected by the vulnerability. |
| Image Repo (hidden by default) | The repository where the image was found containing the vulnerability. |
| OS Distribution | Displays the operating system and version that the vulnerability is found in. |
| Image Layer (hidden by default) | Displays the image layer digest (sha256) from where the vulnerability is found. |
| Status | Displays a status to state whether the image is affected by this vulnerability. The status will either be VULNERABLE or EXCEPTION. |
| Package Type | Displays the type of package that the vulnerability is found in. Either OS or Library. |
| File Path | If applicable, displays the filesystem path to the vulnerable package source. |
| Exploit available | Whether there is a public exploit available for the vulnerability. |
| Age of public exploit | The age of the public exploit (if it is known). |
Next to the filter icon, click the Select columns icon to show/hide columns.
Image Assessment - Packages
The Packages tab displays a list of vulnerable packages found on the image with additional information in columns. This table lets you refresh data, download CSV/PDF, add/remove columns, filter, and search.
Click the filter icon to view the active filters on the table. You can search for, add, and remove filters to adjust the list of packages displayed in the table.
If there is more than one vulnerability found on a package, click the dropdown icon to view each vulnerability found on that package.
The available columns in the Packages tab are listed below:
| Column | Description |
|---|---|
| Packages | Displays the vulnerable operating system package or language package that was found on the image. |
| Package namespace | Displays the namespace of the vulnerable package. |
| Package status | Whether the package was determined as active in the last month or not. |
| Package last active | The date and time of when the package was last determined as active (if it was determined to be active in the last month). |
| Risk Score | Displays the Lacework risk score for the package. |
| Fixable Status | Displays whether the package fixable or not (whether there is a new or patched version of the package available). |
| CVE | Displays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence). |
| CVSS Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available. |
| Current Version | Displays the current version of the package found on the image. |
| Fix Version | Displays the version of the package where the issue is fixed (when a patch is available). |
| File Path | If applicable, displays the filesystem path to the vulnerable package source. |
Image Assessment - Policies
The Policies tab lists any active container vulnerability policies that apply to the image.
CVE, Package Name, and Package Namespace Tab View
When the CVE, Package Name, or Package Namespace tab is selected, all active and non-active images are shown. Use the dashboard filters to change which affected images are shown on the list.
The CVE, Package Name, and Package Namespace tabs allow you to sort by Vulnerability Impact / Package Risk(default), Severity, CVSS Score, Vulnerability ID, Affected Images, or Age of exploit.
When these tabs are selected, the list displays the following information:
- Vulnerability (CVE) ID
- The age of the public exploit related to the vulnerability.
- Vulnerability Impact / Package Risk
- Number of affected images
Use the Package type filter to list either OS or Library packages.
CVE Assessment Drawer
Click a Vulnerability ID to display detailed assessment results (click the < icon to view this drawer in full screen).
CVE Assessment - Details
The Details tab contains descriptive information about the vulnerability. Click a detail to filter the vulnerability list based on the detail.
If there is a CVSS v3 score available for the vulnerability, additional information will be displayed that is derived from CVSS Metrics (such as Attack Vector, Access Complexity, etc).
CVE Assessment - Images (default)
The Images tab displays a list of image names where the vulnerability was found with additional information in columns. This table lets you refresh data, download as CSV/PDF, select which columns to display, and search.
The list of images shown for the CVE depend on which tab is selected:
- All Images - The number of images listed in the table matches the Affected images count.
- Active Images - Only active images that are affected by the CVE are listed in the table.
The available columns in the Images tab are listed below:
| Column | Description |
|---|---|
| Image Name | Displays the image name that the vulnerability was found in. The image name may be presented in the format of repository-name:image-name. |
| Repository (hidden by default) | The repository where the vulnerability was found. |
| Image Tags (hidden by default) | The image tag affected by the vulnerability. |
| Image ID | Displays the sha256 hash that was generated for this image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard  icon. |
| Image Created Time | Displays when the image was created in the repository. |
| Last Assessment (hidden by default) | When the image was last assessed for vulnerabilities by Lacework. |
| Active Containers | Displays the total number of unique and active containers that ran for this image. Note: See Active Images for how active containers are determined. |
| Image Risk | Displays the Lacework risk score for the image. A higher score indicates more risk/impact from discovered vulnerabilities. |
| Status | Displays the vulnerability status of the image. The status will either be VULNERABLE or EXCEPTION. |
Vulnerability Continuous Assessment
Lacework continuously reassesses container images for new vulnerabilities. Lacework lets you control what images are continually reevaluated. You can globally override the default option and configure what images should be assessed.
- Go to Settings > General in the Lacework Console to display the General Settings page.
- Scroll down to the bottom of the page to configure Continuous Assessments.
- Under Continuous Assessments, enable Reassess active images to reassess only active images in the past 24 hours.