The security risks associated with building and deploying applications have dramatically increased in recent years, due to software’s increasingly complex design and ever-increasing speed of innovation (accelerated by the use of a plethora of third-party libraries and components).
Image assurance is a build-time security feature provided in Calico Cloud for assessing and mitigating container and registry image vulnerabilities for cloud-native workloads. Platform operators can continuously scan for vulnerabilities in software before they are deployed to Kubernetes clusters, automatically block deployments that fail to meet security requirements, and quickly assess the risk of deployed applications when new vulnerabilities are discovered.
Continuous build time security
Calico provides a continuous scanning platform and admission controller to discover and block vulnerabilities at build time
Continuous risk mitigation
Calico’s security policy engine ensures that images that fail security requirements never get deployed
Leverage Calico’s Dynamic Service and Threat graph to quickly assess the impact of new vulnerabilities on production workloads
Scan images for vulnerabilities
Calico Cloud provides a scanning engine to continuously assess first and third party images for vulnerabilities. Calico scans images to identify vulnerabilities from databases such as NIST and NVD. Operators can define exceptions for vulnerabilities that are not applicable based on how an affected component may be used.
Runtime view and visualizations
Calico provides a Dynamic Service and Threat graph that correlates image scan results to provide a real-time view of the images running in your Kubernetes clusters, and the potential risk associated with them. This runtime view, combined with visibility into workload communication provides a way for operators to assess the risk of deployed applications as new vulnerabilities are discovered and reported every week.
Active mitigation with Calico security policies
Calico provides security policies that act as compensating controls to mitigate the risk from vulnerabilities until the affected images can be patched. Security policies are critical as the average time to fix vulnerabilities continues to rise.
Automated blocking of vulnerable images with Admission Controller
Calico provides an admission controller that can automatically block the deployment of pods that contain high-severity vulnerabilities. This capability gives operators a way to proactively reduce the risk of vulnerable software being deployed to container platforms and ensure that application teams take the necessary steps to update software and associated images.
How It Works
Learn how Image Assurance can improve the security of your cloud-native workloads.