Container Image scan featureDescriptionOverview: Discover image OS packages using trivy tool and map image OS packages to its containers. Identify suitable CI class for image based on image command details. create application record per container and enrich application record using container environment variables. Release: This feature is available in the following release. SR - ITOM - Discovery and Service Mapping - 202302 Prerequisites: The family version should be Utah or later. Tokyo or the prior family versions won't support this featureOnce discovery is completed to enable image scan set the system property to true "sn_itom_pattern.container_image_scan". The default value is false.Trigger Docker and Kubernetes discovery.Download and import trivy uploaded file sa_uploaded_file_8d3db62c530301103e76ddeeff7b129c.xml Description: Existing docker and kubernetes patterns are enhanced to collect container environment variables. The "Scan Container Images" scheduled job runs periodically and do the following create a new record for each cmdb_ci_oslv_image CI in a table sn_itom_pattern_container_image_scan_status. Adding records in image scan status can be configured using the system property "sn_itom_pattern.container_image_batch_size"Will trigger a Scan Container Image pattern for scan_status is "none" records in sn_itom_pattern_container_image_scan_status and update scan_status from "none" to "in_progress". The number of images that can be scanned in each batch can be configured using the system property "sn_itom_pattern.container_image_batch_size" and the default value is 10To trigger a Scan Container Image, The MID is selected based on a new capability called "Scan Container Images". Note that Trivy runs only on Linux, so we should limit our MID selection to Linux Hosts which means "Host Os" equals "Linux". "Scan Container Image" pattern runs the Trivy tool and returns a payload containing installed packages and additional information on the image (architecture, os, os_family, os_version, command).Once the payload arrives at the instance, we update some fields on cmdb_ci_docker_image and update the scan status of the image from in_progress to scanned /error. And update an additional table that describes the OS packages associated with the image (sn_itom_pattern_container_image_os_packages). Note: By default, the "Scan Container Images" scheduled job runs every 1 minute. If the "Scan Container Image" pattern fails with the error and message containing "TOOMANYREQUESTS: You have reached your pull rate limit" then do the following: Modify Scan Container Images schedule Job frequency to longer intervals(maybe 6 hours or more) which optimally works for you. Modify scan_status from "error" to "none" in sn_itom_pattern_container_image_scan_status for which images scan failed with TOOMANYREQUESTS error. If scan_status is changed from error to none, the Schedule job picks this image and triggers the "Scan Container Image" pattern. This feature uses the following pre-post script along with Scan Container Image pattern flow: Pre-sensor scripts: Handle scanned container images: Collects information on software packages and script inserts to sn_itom_pattern_container_image_os_packages information about packages associated with the current image.If trivy command in the pattern returns an error then will update the error message as a message in the sn_itom_pattern_container_image_scan_status table. Post-sensor scripts: UpdateImageCIClass: Will update the ci_class field in sn_itom_pattern_container_image_scan_status based on image command details.Uses the existing ADM logic to map a process command to an application class. Update Image OS Packages To Containers: Process all containers that use a given image. Per each container, add the installed packages and application CIsPrepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packagesApply the packages to each of the containersIf the application class is detected, we also create application Cis and relate it to the hosting container with runs::runs on the relation Update Container image Scan Status: Will update the image scan status to in_progress to scanned /error based on trivy command execution in the pattern. Note: 1. Currently, we support only those container images does not require authentication. 2. trivy command errors are populated in the message column in sn_itom_pattern_container_image_scan_status. 3. EnrichMSSQLcontainer - MSSQL records are enriched using container environment variables The "Update installed packages and application CIs in containers" scheduled job runs periodically and do the following Process a batch of newly created containers.Process all containers that use a given image. Per each container, add the installed packages and application CIs based on the results of container image scanningPrepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packagesApply the packages to each of the containers Model Diagram: Tables: cmdb_container_environment_variables Extends: cmdb_key_valueFields: Container : Reference [cmdb_ci_oslv_container], 32Key: String, 255Value: String, 255 sn_itom_pattern_container_enrich_scripts Extends: sys_metadataFields: Active: Boolean, default is true Ci_type: string 255 Order: integer, default 0 Script: Script (Server side) – default is a comment explaining the expected input and output sn_itom_pattern_container_image_os_packages Fields: Image : Reference, cmdb_ci_oslv_image ,255Package Name : String, 255Package Version : String, 255Package Maintainer : String, 255 sn_itom_pattern_container_image_scan_status Fields: last_scan : time fieldscan_status : Choice list None (empty value) In Progress Scanned Error Skipped Ci_class: string, 512 charactersImage: Reference to cmdb_ci_oslv_image Message: String 1000 characters Discovery status: Reference, discovery_status Know Issues: Number DEF0364182