Enable container image scanning using the Aqua Trivy tool.

Before you begin

Note: The pattern supports only the Linux operating system and runs on a Linux MID Server.
Verify the following setup:
  • Discovery and Service Mapping Patterns, starting 1.7.0 (August 2023 store release).
  • CMDB CI Class Models, starting 1.43.0.
  • Visibility Content, starting 6.7.2.
  • For the container images scan to run successfully, verify that all the MID Servers in your environment are configured for specific capabilities and are not set to All. For more information on configuring capabilities, see MID Server capabilities.
  • MID Server requirements:
    • 8GB RAM with 4GB JVM
    • MID Server Capability configured to Scan Container Images
    • Can access the image repository
  • Aqua Trivy starting 0.44.0 is installed on the MID Server. The last version validated is 0.51.0. For more information on installing Aqua Trivy, see the Container Image scan feature overview [KB1218504] article in the Now Support Knowledge Base.
  • To collect Docker or Kubernetes container image and environment records, you must first run the Docker or Kubernetes discovery before enabling the Container Image Scan feature. For more information, see Kubernetes discovery and Docker virtualization.
  • Starting with Discovery and Service Mapping Patterns version 1.18.0, the Container Image Scan feature also supports the following:
    • Using a proxy MID Server to scan the container images in the following repositories: public, self-hosted private, and Amazon Elastic Container Registry (Amazon ECR) repositories. To use a proxy MID Server, ensure the MID Server proxy parameters are correctly configured. For more information, see MID Server parameters.
    • Scanning container images in self-hosted private repositories. To scan these repositories, you must create container image repository credentials. For more information, see Create and test your credentials and Container image repository credentials.
    • Collecting image records from Amazon ECR in both public and private repositories. To collect these Amazon ECR image records, you must first run the Amazon ECS resource discovery before enabling the Container Image Scan. The AWS cloud service account created for the Amazon ECS resource discovery is also used for the container image scan. For more information about Amazon ECS resource discovery, see Amazon ECS resource discovery.

Role required: admin

Procedure

  1. Enable the Discovery and Service Mapping Patterns Container Image Scan by setting the system property.
    1. In the Navigation filter, enter sys_properties.list.
    2. In the Name search field, enter sn_itom_pattern.container_image_scan.
    3. Set the value to true.
  2. In the URL bar enter: <instance>.service-now.com/sn_itom_pattern_container_image_scan_status_list.do to review the scan status of the images.
  3. Select the image record to review the Container Image OS Packages table.

Result

The Scan Container Image pattern finds the image OS packages and creates application records based on the image CI class. The Container Image OS Packages table is located in the image record. The pattern also creates relationships between the configuration items. For more information on the data collected, see Container image discovery.