Container image scanning for software decomposition

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Container image scanning for software decomposition

    ServiceNow ITOM Visibility integrates with Aqua Trivy to scan container images and OS packages, providing detailed visibility into Kubernetes and Docker containers. This capability helps customers gain control over container deployments by identifying software components inside containers, supporting compliance, policy adherence, and software license management.

    Show full answer Show less

    Key Features

    • Integration with Aqua Trivy: Enables scanning of container images to detect OS packages, software dependencies, and vulnerabilities.
    • Support for ITOM Visibility Apps: Discovery and Service Mapping Patterns and Kubernetes Visibility Agent provide complementary scanning methods tailored to different container environments.
    • Visibility Methods:
      • Discovery and Service Mapping Patterns: Best for self-hosted or cloud Kubernetes and non-Kubernetes Docker containers; supports bearer tokens, cloud credentials, and manual or automatic scheduling.
      • Kubernetes Visibility Agent: Designed for cloud-native app teams in Kubernetes environments; supports AWS ECR repositories; runs near real-time discovery without credential setup.
    • Software Bill of Materials (SBOM) Generation: Provides detailed lists of container image dependencies for compliance and regulatory use cases.
    • Scheduled Scanning: Patterns run scheduled scans at defined intervals, discovering OS packages and mapping relationships between software and container images.
    • Configuration Options: Includes MID Server mapping for private registries, proxy bypass setup for direct registry access, and system properties to manage SBOM duplication.

    Use Cases

    • Security and Compliance: Scan base and final container images (e.g., MSSQL Server) to identify vulnerabilities and software details.
    • Regulatory Compliance: Generate SBOMs to ensure container software complies with industry standards.
    • Defect Investigation in Kubernetes: Identify all Kubernetes pods running a specific custom-built image without requiring scanning via Patterns and Cloud Discovery.
    • Defect Investigation in Non-Kubernetes Docker: Use Docker patterns to discover Docker containers running a specific image.

    Practical Benefits for ServiceNow Customers

    • Improved compliance through detailed visibility into container software components.
    • Enhanced security posture by identifying vulnerabilities in container images before deployment.
    • Streamlined operations with automated and scheduled container scanning integrated into ServiceNow Discovery and Service Mapping workflows.
    • Flexibility to choose scanning methods based on container orchestration platform and environment.
    • Ability to generate and download SBOMs for auditing and governance purposes.

    The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.

    Container image scanning for software decomposition diagram

    Benefits of image scanning

    Scanning your containers gives you visibility into what's inside Kubernetes or Docker containers or OS packages. Scanning images can assist you in multiple ways.
    • It helps you identify software installed in containers for regulatory and compliance use cases.
    • It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies​.
    • It also helps you manage licensed software running in containers​.
    • You can also get the service context​ by using tags, and service mesh to understand their impact on your organization.

    Image scanning use cases with ITOM Visibility

    You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.

    Use case # 1
    Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.
    Table 1. Visibility methods for use case # 1
    Visibility methods Method characteristics What's discovered
    Discovery and Service Mapping Patterns and Aqua Trivy:
    • Best suited for self hosted or cloud Kubernetes deployments with access to bearer tokens and credentials.
    • Supports public and self-hosted repository image scanning.
    • Pattern-based discovery without Cloud discovery:
      • Uses a bearer token.
      • Manually created Kubernetes discovery schedule per cluster.
    • Pattern-based discovery with Cloud discovery:
      • No bearer token required.
      • Uses cloud credentials.
      • Automatic creation of Kubernetes discovery schedule.
    • For more information on scanning images using Aqua Trivy, see Scan container images.

    Discovered using Discovery and Service Mapping Patterns:

    • Kubernetes clusters
    • Kubernetes Services
    • Kubernetes topology
    • Docker containers and images
    • Kubernetes deployment including OpenShift
    • Namespace
    • Labels and tags
    • Software in containers
    • Account region details can only be discovered by Cloud Discovery
    • Docker Pattern collects data about specific objects in a Docker engine, running on a Linux host
    For more information, see:
    Kubernetes Visibility Agent and Aqua Trivy:
    • Best suited for deployment by cloud native app teams.
    • Optional ability to monitor Kubernetes with AIOps.
    • For cloud environments, only AWS ECR (Public and Private) is supported.

    Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time.

    Use Kubernetes Explorer to download SBOM.

    Discovered using Kubernetes Visibility Agent

    • Kubernetes Namespaces
    • Nodes and Pods
    • Deployments
    • Statefulsets
    • Daemonsets
    • Replicasets
    • Jobs
    • Cronjobs
    • Services
    • Docker container
    • Docker image
    • Container repository
    • Account region details can only be discovered by Cloud Discovery
    Use case #2
    A compliance officer can generate an  SBOM  to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.
    Table 2. Visibility methods for use case #2
    Visibility method Method characteristics
    Kubernetes pattern or Docker pattern SBOM creation is part of the container scanning.
    Kubernetes Visibility Agent SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery.
    Use case #3

    An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.

    Table 3. Visibility methods for use case #3
    Visibility method Method characteristics What's discovered
    Kubernetes pattern Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns.
    • Kubernetes Clusters
    • Kubernetes Containers
    • Kubernetes Services
    • Labels
    • Pods
    • Images
    • Tags
    Kubernetes pattern with Cloud discovery Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. All the of the above and account or region details
    Use case #4
    An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.
    Visibility method Method characteristics What's discovered
    Horizontal Discovery of VM running Docker (Docker pattern) Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. See: Docker virtualization

    Image scanning with Discovery and Service Mapping Patterns

    Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.

    Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.