About Vulnerability Management (VM)
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Vulnerability Management is a tool for centralized management of container image vulnerability scanning and for viewing scan results within your workspace.
It detects vulnerabilities in container images stored in Container Registry and Cloud Registry and in images run in Managed Service for Kubernetes clusters.
Image scanning
Vulnerability Management supports scanning container images from the following sources:
- Yandex Container Registry, the Docker image storage and distribution service.
- Yandex Cloud Registry, the artifact storage and distribution service for artifacts of different types, including container images.
- Kubernetes clusters monitored by Kubernetes® Security Posture Management (KSPM).
Scan triggers
Image scanning can start automatically on one of the following triggers:
- Image push: Scanning starts automatically when you push a new image to Container Registry or Cloud Registry.
- Scheduled run: Scanning starts from time to time according to a schedule. The scan covers all images in the registries, including those added after the previous scan.
- Image use: Scanning starts automatically when you create a new Managed Service for Kubernetes cluster or container with an image in an existing cluster.
You can combine the triggers for maximum scan coverage.
Scanning images in Kubernetes clusters
When integrated with KSPM, Vulnerability Management automatically detects images running in Managed Service for Kubernetes clusters assigned to the workspace.
With the scheduled scan trigger on, the scanning of Kubernetes cluster images works like a filter: each run generates a list of images which are then scanned.