Configuring container image granularity keys for Container Vulnerability Response

  • Release version: Australia
  • Updated April 1, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring container image granularity keys for Container Vulnerability Response

    This guide explains how to configure the granularity keys that determine the creation of Container Vulnerability Response findings, also known as container vulnerable items (CVITs), in ServiceNow. These keys control how imported vulnerability data from third-party scanners is processed and how detailed the findings are, allowing you to assign and manage vulnerabilities at different levels such as cluster, namespace, or service.

    Show full answer Show less

    Each third-party container vulnerability scanner integration has a dedicated configuration record on the Configure Image Vulnerability Keys table in your ServiceNow instance. By default, findings are generated based on a combination of image repository, vulnerability, and image data, but you can customize this to gain more granular visibility and ownership.

    Key Features

    • Granularity Levels: You can configure keys for various levels of granularity depending on your container environment:
      • AWS Elastic Container Service (ECS): Cluster and Service levels.
      • AWS Elastic Kubernetes Service (EKS): Cluster, Namespace, and Service levels.
    • Data Sources: Findings can be generated using data from either the third-party scanner payload (Scanner Information) or ServiceNow Discovery (Discovery Information). The choice affects which clusters and services are recognized as the source of truth when creating CVITs.
    • Scheduled Jobs: When using Discovery Information, a daily scheduled job pre-imports cluster and service details to ensure accurate CVIT creation. Third-party integrations should be scheduled to run at least four hours after this job completes.
    • Configuration Timing: You must update granularity key settings before importing vulnerability data to ensure findings reflect the desired level of detail.
    • Historical Data Scope: You can control how far back (1-12 months) the scanner integration searches for image updates using a system property, with a default of 3 months.
    • Table Column Updates: The Container Vulnerable Item table columns have been updated to differentiate between Scanner and Discovery data sources for cluster, namespace, and service information.

    Practical Application for ServiceNow Customers

    By configuring container image granularity keys, you can tailor vulnerability findings to match your organizational structure and operational needs. For example:

    • In ECS environments, selecting both Cluster and Service keys allows you to assign ownership and remediation tasks at the service level within each cluster.
    • In EKS environments, including Namespace alongside Cluster and Service keys provides even finer granularity, enabling you to manage vulnerabilities per namespace and service.
    • Choosing Discovery Information as the data source ensures that CVITs reflect your actual environment as discovered by ServiceNow, which may differ from scanner data alone.

    This configuration flexibility enables better visibility, accountability, and efficiency in managing container vulnerabilities across your environment.

    Next Steps

    • Access the Configure VI Granularity module under Container Vulnerability Response Administration to update key settings.
    • Choose the appropriate granularity for your container environment (ECS or EKS) and select the desired data source.
    • Schedule and coordinate your third-party scanner data imports with the Discovery data pre-import job if using Discovery Information.
    • Adjust the system property controlling the historical data search window to meet your operational requirements.

    You can configure the keys that generate Container Vulnerability Response findings (container vulnerable items) to help you determine how and when they are created from imported container vulnerability data.

    Overview of Container image vulnerability keys and how they generate findings

    When container images are scanned for vulnerabilities, a granularity feature controls how findings (container vulnerable items or CVITs) are created based on keys that you can configure for the Container Vulnerability Response application.

    Each third-party container vulnerability scanner integration has its own record on the Configure Image Vulnerability Keys [sn_vul_container_image_vulnerability_keys] table in your ServiceNow AI Platform instance. By default, a finding (CVIT) is created by combining the image repository, vulnerability, and image data imported by a scanner product.

    Key granularity can help you view and assign findings at a more granular level by service.

    Role required: sn_vul_container.configure_vi_granularity

    Terms used for key granularity:

    Vulnerability

    Imported CVE/CWE Common Vulnerabilities Exposures, Common Weakness Enumeration and other third-party vulnerability data that is used to create findings (CVITs) in your instance.

    CVIT
    A container vulnerable item (also referred to as a finding), which is generated by default using Image, Image repository, and Vulnerability data for its key configuration.
    Cluster
    Imported data about a group of machines or working nodes that run containerized applications.
    Namespace
    Imported unique names of resources to isolate them within a single cluster.
    Service
    Containers of application dependencies that let you manage and deploy containerized applications. In this context for key granularity and configuration:
    • Elastic Container Service (ECS) environment- Cluster and Service are options for key configuration.
    • Elastic Kubernetes Service (EKS) environment - Namespace, Cluster, and Service are options for key configuration.

    Each product key has a unique record on the list. The following key configuration hierarchies for the ECS and EKS environments share the same granularity configuration located at All > Container Vulnerability Response > Administration > Configure VI Granularity.

    If you want to configure the key granularity, you must make your changes and update the record before importing data with your third-party integrations.

    AWS ECS (Elastic Container Service)

    ECS environments are organized into clusters and services, where one cluster can contain multiple services.

    • Clusters
    • Services
    Hierarchy relationship between clusters and services

    If you set the key granularity so it is set to add the Cluster component (Cluster check box selected on the Configure Image Vulnerability Keys VI Granularity record), one finding (CVIT) is created per cluster. If you select the Cluster and Service options for the key, a finding (CVIT) is created for every unique cluster/service combination, enabling remediation ownership to be assigned at a more granular level by service.

    For example, say your environment has two clusters, Cluster 1 and Cluster 2, and four services: Service 1, Service 2, Service 3, and Service 4. The CVITs created by you key selections are shown in the following table.

    Cluster and service data can be sourced from either the scanner payload (Scanner Information) or ServiceNow Discovery (Discovery Information). This option can affect how CVITs are created, depending on your key selections.

    Table 1. Key granularity settings
    Data source Cluster check box selected Service check box selected CVITs created
    Scanner Information x Two CVITs are created, one for each Cluster, Cluster 1 and Cluster 2.
    Scanner Information x x Multiple CVITS (4) are created to support two Clusters and four services:
    • Cluster 1/Service1
    • Cluster 1/Service 2
    • Cluster 2/Service 3
    • Cluster 2/Service 4
    Discovery
    Note:
    If Discovery is selected as the data source, the source of truth for clusters and services comes from ServiceNow Discovery — not the scanner payload.
    		 x One CVIT is created for Cluster 3. If Discovery only finds Cluster 3 for this image, only one CVIT is generated regardless of what the scanner knows.

    By default, Discovery Information is selected. If you want Discovery Information as the data source for the key, the [Populate image relationships] scheduled job runs daily to pre-import cluster and service details, and you must schedule your third-party integration runs to start at least four hours after this scheduled job is successfully completed to make sure that the pre-import data is available. This job is activated by default daily, but you must set the schedule for it before your scheduled third-party integration imports.

    Note:
    For new customers only starting with version x.xx.

    The [sn_vul_container.image_relationship_mapping_months] system property defines how many months back (1-12) your third-party scanner integration searches for container image updates when processing relationship mappings. This data is used to filter images by the [sys_updated_on] field.

    The default setting is three months (90 days). Unless you change this value, after you configure your scanner integration import, relationship mapping is created for images which are scanned in the last 90 days by default and present in discovered container images.

    Data population

    Before ECS was supported with version 30.3 (USEM)-compatible and v2.18 (Core), there were two sets of columns on the Container Vulnerable Item [sn_vul_container_image_vulnerable_item] table for populated data:

    • Image namespace and Image clusters columns are displayed if the Scanner Information data source is selected for the key configuration.
    • Kubernetes Namespaces, Kubernetes Clusters, and Kubernetes Services if the Discovery Information data source is selected for the key configuration.
    Starting with version versions 30.3 and 2.18, the following columns on the Container Vulnerable Item [sn_vul_container_image_vulnerable_item] table have been renamed to match the data sources:
    • Cluster (Scanner) Namespace (scanner), and Service (scanner) if the Scanner Information data source is selected for the key configuration.
    • Cluster (Discovery), Namespace (Discovery) and Service (Discovery) if the Discovery Information data source is selected for the key configuration.
    Note:

    On the CMDB Docker container image record on the Discovered Container Image [sn_vul_container_image] table, only Scanner Information is directly populated with the column names listed above.

    You can view discovery-based data (cluster/namespace/service) by opening the Docker image record on the Discovered Container Image record. On this record, view the related items/relations section for the data populated by Discovery Information.

    AWS EKS (Elastic Kubernetes Service)

    On the Configure Image Vulnerability Keys records, there are three additional keys you can add to the default key for EKS environments:

    • Namespace
    • Registry
    • Service
    Hierarchy relationship for cluster namespace and services

    EKS environments have a three-level hierarchy: clusters/namespaces/services. If you select all three levels (cluster + namespace + service) findings are generated with the most supported granularity. The option to select the Data source as Scanner Information or Discovery Information is supported for EKS.

    As an example, say you have Cluster 1, Namespace 1, and two services, Service 1 and Service 2. If you select all three levels, two CVITs are created for the most supported granularity, one for each service.

    If, on the other hand, you select Cluster 1 and Namespace 1 for this example, one CVIT is created for one Namespace.