Container vulnerability scans
Container security is critical for maintaining a hardened runtime environment. While IBM provides
security fixes as part of the release process, customers should also proactively assess and mitigate
vulnerabilities identified by their security tools. Container scans often report vulnerabilities,
particularly at the base operating system (OS) and library levels. However, not all reported CVEs
are exploitable or applicable in a specific deployment context. The scan tools are intentionally
broad in detection to highlight possible risks, not confirmed exposures. There may even be false
positives.
Note: Sending raw scan reports to IBM Support is not recommended. For guidance, see Security Vulnerability Reporting Policy for IBM Financial Transaction
Manager.
While assessing a container scan report, security professionals responsible for FTM deployments should consider the following factors:
- Applicability
- Is the vulnerable package used or reachable within the container runtime?
- Exploitability
- Is there a realistic attack vector in your architecture that might trigger the vulnerability?
- Environmental CVSS Rescoring
- Adjust the CVSS score based on your risk tolerance, network segmentation, and available compensating controls. For more information, see Vulnerability Scoring System.
- Scan ticket escalation
- When escalating a support ticket related to container image scans, your security team must provide their analysis and justify urgency by providing details or applicability and exploitability to your environment. Having this justification helps FTM support to expedite security fixes.
- Use runtime security tools to limit container capabilities.
- Monitor use attempts by using intrusion detection systems (IDS) or behavioral anomaly tools.
- Perform a risk assessment.
- Deploy additional security controls if warranted by the reported vulnerabilities considering assessed risk to your deployment.