Scan Lab Overview¶
Scan Lab, accessible via App Central, allows you to view Scan Results. You also can resolve or justify Common Vulnerabilities and Exposures (CVEs), address Anchore compliance results, and access the Security team's responses to proposed resolutions.
Navigating to Scan Lab¶
In App Central, you will see a table titled Services that lists all of your containers. To reach Scan Lab, you must select the number under the Vulnerabilities column.
Scan Lab¶
Scan Lab displays a collection of all vulnerabilities detected by our scanning software. Each component of your application has a corresponding Scan Lab with scan results.
Scan Lab displays the following three buckets.:
| Section | Description |
|---|---|
| Unresolved Vulnerabilities |
|
| Justifications | This list contains the vulnerabilities you addressed, and how you addressed them. A justification is your explanation of how you mitigated the vulnerability. |
| Remediation | This list contains vulnerabilities that you mitigated by removing or upgrading the package or library triggering each vulnerability. |
Remediations and Justifications are deemed Resolutions, as they provide insight into how you mitigate vulnerabilities.
Common Vulnerabilities and Exposures¶
CVE scan results produce Low, Medium, High, and Critical severity levels. This designation is associated with each vulnerability as determined during the scanning process.
When can I expect scan results for my app?
Once you are granted access to your Harbor Repository, you can push your containerized images. Our pipelines will automatically run these images through our security scanning tools and populate Scan Lab with the results. The scanning time varies by the image. If scan results fail to populate after you have pushed your image, inform our team by submitting a Support Ticket.
Scan results are organized as line items, each providing the severity level, the due date, the CVE identifier, and the package the CVE was detected in. Each line item also indicates whether the vulnerability is unresolved (exclamation mark), resolved, or new.
Selecting the checkbox for a line item opens a window to the right of the scan results. This window gives details on the vulnerability along with a link to see more information about that CVE. This window also provides a drop-down menu to select a resolution. Selecting the information bubble above the drop-down menu provides amplifying information on which resolution to select.
Tip
You can select more than one CVE at a time to bulk submit resolutions.
Once you have made your selection, you will be prompted to write a comment for elaboration. When finished click the SUBMIT CHANGES button to save your progress. Once you save your update, the vulnerability line item you reviewed moves to the Remediations or Justifications list, contingent upon your decision.
To submit your resolutions to the Game Warden team, you must address ALL security findings for your image. With all findigns resolved or justified, you can click the ASK FOR SECURITY REVIEW button. Our Security team can approve or deny your resolutions.
Production Image Scanning¶
Game Warden will automatically scan all customer-deployed production images for vulnerabilities on the first of every month. This automated schedule ensures that any emerging threats are identified in a timely manner.
If vulnerabilities are detected, you'll receive alerts directly through Slack and in the Game Warden Web App, making it easy to stay informed and quickly address issues as they arise.
You can navigate to the "Images" tab to view either the "Latest Images" (if no images are currently deployed) or "In Production" images (if you have deployed images).
Here, you can link to the Latest Scan for each image to manage the new CVEs in Scan Lab. Vulnerabilities must be resolved in accordance with our Acceptance Baseline Criteria to maintain your application’s security and compliance. We recommend checking the results regularly and addressing vulnerabilities as soon as possible.
Downloading Artifacts¶
Clicking the blue Download Artifacts button in the upper right corner of Scan Lab allows you to download your raw scans and Software Bill of Materials (SBOM) to facilitate information sharing and offline-work.
CVE Due Dates and New Status¶
CVE due dates will not come into play until after your app has been deployed to production.
We continually scan apps deployed to Game Warden's production environments and sometimes new vulnerabilities are surfaced, hence the New tag that may appear on Scan Lab line items.
This date refers to the Remediation/Justification date in Table A of the Game Warden Acceptance Baseline Criteria and indicates when your team must implement your fixes.
Tip
View our Common Vulnerabilities and Exposures and Compliance Best Practices for additional helpful information.
Anchore Compliance Results¶
Anchore compliance results reveal Department of Defense (DoD) compliance issues within an application. Anchore compliance results are based on the National Institute of Standards and Technology (NIST) 800-53 compliance policies that are required for the DoD. You must remediate or justify these findings as you would remediate or justify standard CVEs. The compliance result severity types are as follows:
- Go – Okay to Proceed, similar to a Low vulnerability.
- Warn – Issue a warning, similar to a Medium vulnerability.
- Stop – Critical error that should stop the deployment by failing the policy evaluation, similar to a High vulnerability.