Image Assurance

Continuously assess first and third-party images for vulnerabilities and automatically block deployment of images that fail to meet security requirements



The security risks associated with building and deploying applications have dramatically increased in recent years, due to software’s increasingly complex design and ever-increasing speed of innovation (accelerated by the use of a plethora of third-party libraries and components).

Image assurance is a build-time security feature provided in Calico Cloud for assessing and mitigating container and registry image vulnerabilities for cloud-native workloads. Platform operators can continuously scan for vulnerabilities in software before they are deployed to Kubernetes clusters, automatically block deployments that fail to meet security requirements, and quickly assess the risk of deployed applications when new vulnerabilities are discovered.


Continuous build time security

Calico provides a continuous scanning platform and admission controller to discover and block vulnerabilities at build time

Continuous risk mitigation

Calico’s security policy engine ensures that images that fail security requirements never get deployed

Runtime visibility

Leverage Calico’s Dynamic Service and Threat graph to quickly assess the impact of new vulnerabilities on production workloads


Scan images for vulnerabilities

Calico Cloud provides a scanning engine to continuously assess first and third party images for vulnerabilities. Calico scans images to identify vulnerabilities from databases such as NIST and NVD. Operators can define exceptions for vulnerabilities that are not applicable based on how an affected component may be used.

Runtime view and visualizations

Calico provides a Dynamic Service and Threat graph that correlates image scan results to provide a real-time view of the images running in your Kubernetes clusters, and the potential risk associated with them. This runtime view, combined with visibility into workload communication provides a way for operators to assess the risk of deployed applications as new vulnerabilities are discovered and reported every week.

Active mitigation with Calico security policies

Calico provides security policies that act as compensating controls to mitigate the risk from vulnerabilities until the affected images can be patched. Security policies are critical as the average time to fix vulnerabilities continues to rise.

Automated blocking of vulnerable images with Admission Controller

Calico provides an admission controller that can automatically block the deployment of pods that contain high-severity vulnerabilities. This capability gives operators a way to proactively reduce the risk of vulnerable software being deployed to container platforms and ensure that application teams take the necessary steps to update software and associated images.

How It Works


Learn how Image Assurance can improve the security of your cloud-native workloads.



Learn More

Technical Blog

Learn More

Calico Cloud Datasheet

Learn More