Defining Vulnerability Exceptions (Beta)
You can flag the required vulnerabilities as exceptions for specific images and containers. This means that despite their identification, they are intentionally left unreported and unaddressed.
Vulnerability exceptions refer to specific vulnerabilities that have been identified within a containerized environment but are intentionally exempted from remediation measures.
Here are a few possible reasons for granting exceptions:
- False Positives: Some vulnerabilities reported may be false positives.
- Third-Party Dependencies: Certain vulnerabilities may exist in third-party libraries or components that are beyond your immediate control.
- Compatibility Issues: Applying a fix for a vulnerability might have other impacts.
Watch this video to know how to define exceptions:
Before you begin: Create a list of QIDs that you want to define as an exception. See Creating a List of Vulnerabilities.
- Go to Exceptions > Vulnerability Exceptions, and click Create Exception.
- Enter a name for the exception.
- Select a reason for the exception and then provide an appropriate explanation for the same. You can select either of the following options:
- False Positive: if a vulnerability is a false positive.
- Risk Accepted: if the security team decides to tolerate or accept the level of risk associated with a vulnerability.
- Other: Any other reasons such as compliance requirements, patch unavailability, and operation impact.
- Specify start and end dates for the exception, and click Next.
- In Scope Details, to define the scope of the exception, select Image or Container, and then select the images or containers on which the exceptions are to be added.
With Image as the scope, if you add an exception on an image, it is automatically cascaded to containers spawned from the image.
- In Vulnerability List, select a list of QIDs and click Next. You can also create a new vulnerability list on the fly while selecting a list.
You can select only one vulnerability list in an exception.
- Review the details and click Submit.
- The exception applies only to the images that are scanned in the last 30 days. If you want to apply an exception to an image that is scanned more than 30 days ago, you need to rescan the image.
- You cannot specify more than 50 exceptions for an image or a container.
Related Links
Searching for Exceptions
Searching in KnowledgeBase