Bitdefender Container Image Scanner
The Bitdefender Container Image Scanner integration relies on the bcst-cli (Bitdefender Cloud Security Tools Command-Line Interface) tool for scanning container images from local tarball archives or directly from container registries. All scan results for container registry images are sent to GravityZone and displayed in Control Center.
Prerequisites
Before running the bcst-cli tool, ensure the following prerequisites are in place:
You have the GravityZone Security for Containers add-on.
The host machine runs a Linux OS on an AMD64 architecture, with
glibcsupport.The host machine has at least 8 GB of available working space.
Note
By default, the working directory is located at
/tmp. To specify a different location, you can use the--temp-diroption explained here.For registry scanning, the container images you intend to scan are hosted in one of the supported registries: AWS ECR, Azure Container Registry, or Google Artifact Registry.
To perform registry scans, you have the appropriate permissions for your specific registry type:
AWS ECR:
ecr:GetAuthorizationToken,ecr:DescribeRepositories,ecr:DescribeImages.Azure Container Registry:
AcrPull.Google Artifact Registry:
roles/artifactregistry.reader.
Connecting the scanner to GravityZone
To connect the Bitdefender Container Image Scanner to GravityZone:
Log in to GravityZone Control Center.
Go to the Integrations hub page from the left-side menu.
In the Integrations catalog > Bitdefender Container Image Scanner card, click Configure.
Warning
The Configure button will appear disabled if your user account does not have Network Administrator rights. In this case, contact your GravityZone administrator.
The Create integration page will be displayed.
In the Configuration section, enter a name for the integration.
Make sure all the prerequisites listed in the Check requirements section are fulfilled.
Follow the steps from the Download Bitdefender Scanner section to download and run the command-line tool.
Follow the steps from the Authenticate Bitdefender Scanner section to connect the scanner to GravityZone by configuring the server URL and setting the access token.
Note
To verify the current access token, run this command:
bcst-cli config token view
To verify the current server URL, run this command:
bcst-cli config server view
Click Save.
The Bitdefender Container Image Scanner card will be displayed under Integrations hub > Configured with the Action required status.
Important
Only one Bitdefender Container Image Scanner integration can be configured per company.
Configuring the scanner
Before scanning container images, configure the scanner as follows:
Optional: Set the working directory used for downloading and extracting images and for storing dependencies by running the command below. Its default path is
/tmp.bcst-cli config temp-dir set <path to directory>
Note
To verify the current working directory, run this command:
bcst-cli config temp-dir view
To scan container images from registries, ensure that the correct credentials are configured for the specific registry type:
AWS ECR:
bcst-cli config registry login aws -i <access key ID> \ -s <secret access key> -r <region>
Options:
-i,--access-key-id: Access Key ID-s,--secret-access-key: Secret Access Key-r,--region: Region
Azure Container Registry:
bcst-cli config registry login azr -i <client ID> -s <client secret> \ -t <tenant ID> -r <registry endpoint>
Options:
-i,--client-id: Client ID-s,--client-secret: Client Secret-t,--tenant-id: Tenant ID-r,--registry-endpoint: Registry endpointImportant
Do not include the
https://prefix in the registry endpoint.
Google Artifact Registry:
bcst-cli config registry login gcp -c <path to credential JSON file> \ -p <project ID> -r <region>
Options:
-c,--credential-json-path: Path to the Google Cloud service account key in JSON format-p,--project-id: Project ID-r,--region: Region
Scanning container images from tarball archives
To scan an image archive tarball, run this command:
bcst-cli scan image <path to image archive>
Optional parameters:
-o,--output: File path where the scan report will be saved. If not provided, the output is written to standard output.-f,--format: Format of the scan report. Accepted values:JSON,MD,SARIF.-n,--report-name: Name of the scan report.
Important
Scan results for container images from tarball archives are not visible in GravityZone Control Center. They are only saved to the specified file path or printed to standard output.
Scanning container images from registries
To scan the last updated image in each repository, use the appropriate command based on the registry type:
AWS ECR:
bcst-cli scan registry aws
Azure Container Registry:
bcst-cli scan registry azr
Google Artifact Registry:
bcst-cli scan registry gcp
Optional parameters for all the three commands:
-r,--regex: Repository name regex filter-o,--output: Folder path where the scan report will be saved. Defaults to the current directory.-f,--format: Format of the scan report. Accepted values:JSON,MD,SARIF.-n,--report-name: Name of the scan report.-d,--dryrun: Lists images but does not run the scan.
Scan results will be viewable in the Risk management section of GravityZone Control Center.
Note
Once the first scan is performed, the Bitdefender Container Image Scanner card will display the Active status.
To view the date and time of the initial scan, check the Running since field in the Bitdefender Container Image Scanner card.
To verify the date and time of the most recent scan, refer to the Last sync field in the Bitdefender Container Image Scanner card.
For a detailed list of all the performed scans on container images from registries, go to the History logs field in the Bitdefender Container Image Scanner card and click View details.
You can access this log history only if you have Network Administrator rights.
Removing authentication from registries
After completing all the required scans for a registry, log out using the following command:
bcst-cli config registry logout
Removing the integration and uninstalling the scanner
To remove the integration and all its associated settings, go to the Bitdefender Container Image Scanner card displayed under Integrations hub > Configured and click Delete, then click Delete again to confirm the action.
Important
You can remove the integration only if you have Network Administrator rights.
To uninstall the scanner, delete the previously extracted bcst-cli binary and the ~/.bcst-cli.json file.
Editing the integration
To update the settings of your configured Bitdefender Container Image Scanner:
Click its associated card from the Integrations hub > Configured section.
The Edit integration page will be displayed.
If needed, you can update the Integration name. This is the only field you can edit.
Click Save.
Important
You can edit the integration only if you have Network Administrator rights.
Example scenarios
Run an image scan interactively, and view the results in
stdoutin markdown format.Prerequisites:
bcst-cliaccessible from PATHValid access token and server URL from the GravityZone Integrations hub page
Image archive file (obtainable via Docker image save)
bcst-cli config server set <server URL> bcst-cli config token set <token> bcst-cli scan image <image filepath> -f MD
Run a registry scan on AWS ECR, filtering the repositories containing the keyword
deploy.Prerequisites:
bcst-cliaccessible from PATHValid access token and server URL from the GravityZone Integrations hub page
AWS IAM credentials with permissions to registry
bcst-cli config server set <server URL> bcst-cli config token set <token> bcst-cli config registry login aws \ -i <access key ID> -s <secret access key> -r <region> bcst-cli scan registry aws --regex ".*deploy.*"