Events are not being raised within Lacework for container image vulnerability scans. Vulnerability scans are still occurring as expected.
We need to verify that you have turned on the default policies for these events to start being raised. Navigate to "Policies" and select "Vulnerability" then "container" as a filter.
You should see the following policies returned:
- LW_VULN_53 - New Security Vulnerability
- LW_VULN_54 - Known Security Vulnerability
- LW_VULN_55 - New Security Vulnerability in Repository
- LW_VULN_56 - Severity changes for Security Vulnerability
- LW_VULN_57 - A Fix available for Security Vulnerability
Ensure the policies you want to have events raised for are enabled.
Once the enabled policies have been confirmed, we need to think about your vulnerability scanning workflow.
Each of these policies requires by default that the image being scanned is also active. This seems a good choice but if you have implemented Lacework into your CI/CD pipeline or to scan an image when first pushed to your registry then this could be the cause.
If the image will not be active when first scanned by Lacework then these policies will not fire off an event.
As a workaround for this let's clone the policies and remove the need for the image to also be active. On the same policy page, click on one of the policies you want to raise events.
Select the option to clone the policy below the title as shown above.
This will clone the policy and show you the cloned version for editing. You can edit the name of the policy to something that's useful. In the example below we have renamed it to ""Known Security Vulnerability with active removed"
Switch to the query tab of the policy attributes you are editing. Remove the condition line for active, it should look like below.
Save and enable this policy. Repeat this for any of the default 5 container vulnerability policies as needed.
Once you have cloned and created your needed policies, enabled your new policies and disable the default policies.
NOTE: Lacework will group events that are the same into one event meaning you may see multiple image scans grouped into one event for that hour period.