Skip to content

Images#

Lens Pro subscription feature

Kubernetes does not natively provide easy visibility into container images or any vulnerabilities originating from those images running on a cluster. This information is typically distributed among multiple manifest files, resource descriptors, and centralized security scanning dashboards.

The Images feature lets users scan the cluster’s images and see details of any vulnerabilities associated with an image. Lens Desktop enables this feature by including Starboard, a security tool that finds and views risks that relate to different resources in a Kubernetes-native way.

You can find vulnerabilities using one of the following methods:

  • Centralized cluster scanning
    The Starboard operator must be installed on the cluster to automatically scan the images. Lens simply shows the results of those scans.
  • Manual image scanning
    The Lens Desktop user scans cluster images manually with the embedded version of Starboard.

Images view#

You can find the Images view in the Cluster navigation panel. The view contains graphs that show a summary of vulnerabilities and the scanning status of container images running in the cluster. You can also find the list of container images that currently run in a cluster. The table with images displays the following essentials:

  • Platform that an image is running on
  • Number of pods that use the image
  • Number of vulnerabilities by severity level
  • Current image status

Click an image in the table to open the Details panel where you can find more information about the container image.

Platforms display previous and current platforms. Current platforms are blue. Click a platform for details and history.

Vulnerabilities contain a summary and a table of detected image vulnerabilities. The table is interactive, you can click the vulnerability ID to find more information from one of the vulnerability databases. For example, the details of manual scanning are provided by the Aqua Vulnerability Database.

Tip

Image vulnerability data is also available when observing pod and deployment details in the corresponding views.

Centralized automated scanning#

Lens Desktop fetches security scan information using the following external tools:

With Starboard Operator installed to your cluster, Starboard automatically scans all images in a cluster.

MSR automatically scans the images hosted in the MSR repositories. Having access to the MSR API, Lens Desktop can fetch vulnerability scan results from the corresponding database.

Note

The parameters of automatic image scanning depend on Starboard and MSR configurations.

Automated scanning with the Trivy Operator tool#

Another way to automate security scanning is to install Trivy Operator:

  1. Navigate Preferences > Kubernetes > Helm Charts and click Add Custom Helm Repo.
  2. In the Add custom Helm Repo dialog, paste the following link into the URL input field: https://aquasecurity.github.io/helm-charts/ and click Add.
  3. In the cluster view, navigate to Namespaces and create the following namespace: trivy-system.
  4. Navigate to Helm > Charts, find and click the trivy-operator chart and, in the following dialog, click Install.
  5. In the Helm Install tab, specify the following parameters and click Install:
    • Namespace: trivy-system
    • Name: <name-of-the-release>

The Trivy Operator scans namespaces specified in the OPERATOR_TARGET_NAMESPACES parameter. The default value is the blank string (""). See the Configuration article in official Trivy documentation.

Manual scanning#

To perform manual scanning:

  1. In the Cluster navigation panel, open the Images tab.
  2. From the images list, select an image you need to scan and click Options > Scan image.