Rights to manage security policy settings are required to add a security policy in Kaspersky Container Security.
To add an assurance policy:
In the Policies → Assurance policy section, click the Add policy button.
The policy settings window opens.
Enter a policy name and, if required, policy description.
In the Scope field, select the scope for the image security policy from the available options.
If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.
Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
Under Vulnerability level, use the Disabled / Enabled toggle switch to configure the scan by severity level as follows:
Set the assigned severity level based on the vulnerability databases. To do this, you need to select one of the following options:
Severity level – you must select a severity level from the drop-down list.
Score – you must specify a severity score from 0 to 10.
If you want the scan to skip certain vulnerabilities, use the check boxes to configure the following:
Ignore vulnerabilities without a fix if you do not want the assurance policy to trigger on vulnerabilities for which the vendor has not released a fix.
Ignore specific vulnerabilities if you do not want the assurance policy to trigger on vulnerabilities that you specify in the field below.
Under Specific vulnerabilities, use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
In the Sensitive data section, configure the following settings:
Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
Select the sensitive data severity level from the Severity level drop-down list.
The severity level is assigned based on the vulnerability databases.
In the Misconfigurations section, configure the following settings:
Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
Select the misconfiguration severity level from the Severity level drop-down list.
The severity level is assigned based on the vulnerability databases.
Under Packages, use the Disabled / Enabled toggle switch to configure the scan for specific resources or resource versions in images. If the solution detects packages with the specified resources during scanning, such packages are blocked. To perform the scan, specify the following:
In the Resource field, enter the resource name.
In the drop-down list, select an operator to apply to the version. The following options can be selected:
Any version (default)
= (equal to)
!= (not equal to)
< (less than)
> (more than)
In the Version field, specify the version of the resource. You do not need to specify the version if you select the Any version operator.
If necessary, you can click the Add resource button to add a resource package field set to be scanned. The maximum number of field sets is 100.
Under Permitted OS, use the Disabled / Enabled toggle switch to configure the scan for images based on operating systems that you did not permit. During the scan, if the solution detects images with non-compliant operating systems, such images are blocked. To perform the scan, specify the following:
In the Allowed OS drop-down list, select an operating system.
In the Version field, specify the version of the operating system. If no version is specified, all versions are checked for the selected operating system.
If necessary, you can click the Add OS button to add a version of the operating system to be used when scanning. The maximum number of versions is 100.