How do I manage vulnerabilities?

You can use Vulnerability Advisor to manage image security and vulnerabilities.

For more information, see Managing image security with Vulnerability Advisor.

How much does Vulnerability Advisor cost?

The cost of Vulnerability Advisor is built into the pricing for IBM Cloud Container Registry. For more information, see Billing for storage and pull traffic.

Can images from other registries be scanned by Vulnerability Advisor?

Vulnerability Advisor scans images from IBM Cloud Container Registry only.

How is a Vulnerability Advisor scan triggered?

For more information about how the scanning of an image is triggered, see Vulnerable packages.

Why doesn't my image scan in Vulnerability Advisor v4?

If your image isn't being scanned, check that it has a tag. In Vulnerability Advisor version 4, images are scanned only if they have a tag.

Why doesn't a new image scan in Vulnerability Advisor?

If you get the vulnerability report immediately after you add the image to the registryA storage and distribution service that contains public or private images that are used to create containers., you might receive the following error:

BXNVA0009E:  <imagename> has not been scanned. Try again later.
If this issue persists, contact support for help;
see https://cloud.ibm.com/docs/get-support?topic=get-support-getting-customer-support#getting-customer-support

You receive this message because the images are scanned asynchronously to the requests for results, and the scanning process takes a while to complete. During normal operation, the scan completes within the first few minutes after you add the image to the registry. The time that it takes to complete depends on variables like the proportions of the image and the amount of traffic that the registry is receiving.

If you get this message as part of a build pipeline and you see this error regularly, try adding some retry logic that contains a short pause.

If you still see unacceptable performance, contact support, see Getting help and support for Container Registry.

How often are the security notices updated in Vulnerability Advisor?

Security notices for Vulnerability Advisor are loaded from the vendors' operating system sites approximately every 12 hours.

How do I get notified about the security status of an image?

You can see the security status of your images within the Vulnerability Advisor dashboard. You cannot set up notifications.

Which version of a package is installed in my image?

To determine the version of a package that is installed in your image, use the relevant package manager command for your operating system.

Does Vulnerability Advisor have versions?

Vulnerability Advisor version 4 is the only version available. For more information, see Managing image security with Vulnerability Advisor.

Vulnerability Advisor version 3 is discontinued from 13 November 2023. For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.