Container Image scan feature overviewSummaryFeature Overview - Discover image OS packages using trivy tool and map image OS packages to its containers.- Identify suitable CI class for image based on image command details. - Create application record per container and enrich application record using container environment variables. - Existing docker and kubernetes patterns are enhanced to collect container environment variables. Prerequisites The family version should be Utah or later. Tokyo or the prior family versions won't support this feature.Run Kubernetes or docker discovery to bring container images.Mid Server configuration for image scan feature. Trivy tool should be installed on the Linux mid-server. Please refer to the Trivy document below for instructions on how to install Trivy. https://aquasecurity.github.io/trivy/v0.43/getting-started/installation/#install-script Mid Server Capability if you are using a dedicated mid server then add only “Scan container images” capability.If you are using a common mid server then add All capability. Mid servers with All capabilities must have all the image scan feature prerequisites so that image scanning works properly. Enable image scan feature set the "sn_itom_pattern.container_image_scan" system property value to true, default value is false. Content The "Scan Container Images" scheduled job runs periodically to do the following: Create a new record for each cmdb_ci_oslv_image CI in a table sn_itom_pattern_container_image_scan_status. Adding records in image scan status can be configured using the system property "sn_itom_pattern.container_image_batch_size"Trigger a Scan Container Image pattern for scan_status is "none" records in sn_itom_pattern_container_image_scan_status and update scan_status from "none" to "in_progress". The number of images that can be scanned in each batch can be configured using the system property "sn_itom_pattern.container_image_batch_size" and the default value is 10Trigger a Scan Container Image, The MID is selected based on a new capability called "Scan Container Images". Note that Trivy runs only on Linux, so we should limit our MID selection to Linux Hosts which means "Host Os" equals "Linux". "Scan Container Image" pattern runs the Trivy tool and returns a payload containing installed packages and additional information on the image (architecture, os, os_family, os_version, command).Once the payload arrives at the instance, fields on cmdb_ci_docker_image are updated, as well as the scan status of the image from in_progress to scanned /error. The additional table [sn_itom_pattern_container_image_os_packages] is also updated with descriptions of the OS packages associated with the image. Note: By default, the "Scan Container Images" scheduled job runs every 1 minute. If the "Scan Container Image" pattern fails with the error and message containing "TOOMANYREQUESTS: You have reached your pull rate limit" then do the following: Modify Scan Container Images schedule Job frequency to longer intervals(maybe 6 hours or more) which optimally works for you. Modify scan_status from "error" to "none" in sn_itom_pattern_container_image_scan_status for which images scan failed with TOOMANYREQUESTS error. If scan_status is changed from error to none, the Schedule job picks this image and triggers the "Scan Container Image" pattern. This feature uses the following pre-post script along with Scan Container Image pattern flow: Pre-sensor scripts: Handle scanned container images: Collects information on software packages and script inserts to sn_itom_pattern_container_image_os_packages information about packages associated with the current image.If trivy command in the pattern returns an error then will update the error message as a message in the sn_itom_pattern_container_image_scan_status table. Post-sensor scripts: UpdateImageCIClass: Will update the ci_class field in sn_itom_pattern_container_image_scan_status based on image command details.Uses the existing ADM logic to map a process command to an application class. Update Image OS Packages To Containers: Process all containers that use a given image. Per each container, add the installed packages and application CIsPrepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packagesApply the packages to each of the containersIf the application class is detected, we also create application Cis and relate it to the hosting container with runs::runs on the relation Update Container image Scan Status: Will update the image scan status to in_progress to scanned /error based on trivy command execution in the pattern. Note: 1. Only container images that do not require authentication are supported. 2. Trivy command errors are populated in the message column in sn_itom_pattern_container_image_scan_status. 3. EnrichMSSQLcontainer - MSSQL records are enriched using container environment variables. The "Update installed packages and application CIs in containers" scheduled job runs periodically and do the following Process a batch of newly created containers.Process all containers that use a given image. Per each container, add the installed packages and application CIs based on the results of container image scanningPrepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packagesApply the packages to each of the containers Tables: cmdb_container_environment_variables Extends: cmdb_key_valueFields: Container : Reference [cmdb_ci_oslv_container], 32Key: String, 255Value: String, 255 sn_itom_pattern_container_enrich_scripts Extends: sys_metadataFields: Active: Boolean, default is true Ci_type: string 255 Order: integer, default 0 Script: Script (Server side) – default is a comment explaining the expected input and output sn_itom_pattern_container_image_os_packages Fields: Image : Reference, cmdb_ci_oslv_image ,255Package Name : String, 255Package Version : String, 255Package Maintainer : String, 255 sn_itom_pattern_container_image_scan_status Fields: last_scan : time fieldscan_status : Choice list None (empty value) In Progress Scanned Error Skipped Ci_class: string, 512 charactersImage: Reference to cmdb_ci_oslv_image Message: String 1000 characters Discovery status: Reference, discovery_status Results Container Image Scan Status Navigate to sn_itom_pattern_container_image_scan_status table to view image scan status. Container OS Packages Navigate to sn_itom_pattern_container_image_os_packages table to view container image os packages. ReleaseThis feature is available in SR - ITOM - Discovery and Service Mapping - 202302Related LinksTroubleshooting Scan Container Image Pattern fails with TOOMANYREQUESTS After carefully considering the severity and frequency of the issue, and the cost and risk of attempting a fix, it has been decided to not address this issue in any current or near future releases. We do not make this decision lightly, and we apologise for any inconvenience. This issue is related to Limits, which may vary based on the Docker hub subscription. Hence, based on the customer subscription, the administrator needs to modify the schedule job frequency and System property "sn_itom_pattern.container_image_batch_size" values. KB1228017 - Scan container image pattern fails with "TOOMANYREQUESTS"