Working with container image rules

You can build policies by selecting the rules used when scanning container images, and creating custom rules.

Scanning rules

Sophos Cloud Optix container image scanning uses the following rule types:

  • Sophos Cloud Optix best-practice rules.
  • Rules created from recommendations by the Center for Internet Security (CIS).

    See CIS Controls Version 8.

  • Custom rules that you create, based on Sophos Cloud Optix best-practice rules.

Sophos Cloud Optix best-practice rules are created using regularly updated security vulnerability and package data from multiple sources, including:

  • Security advisories from Linux distribution vendors for distribution-specific packages (Alpine Linux, CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux, Ubuntu).
  • Package repository information from RubyGems and npm.
  • NIST National Vulnerability Database (NVD).

In Container Images you can choose which policy to apply to the images. Click Security Policy settings, choose the policy and click Save and Close.

Custom scanning rules

To create your own rules, do as follows.

  • Go to Configure and click Policies.
  • Click Create Custom Policy and choose Container Images.

    You can click Preview at any time to see the rules in the policy you are creating.

  • Enter a name and tag for the policy. The tag is used to filter alerts.
  • Choose whether the policy should include or exclude environments and tags.

    You can also use the filter to include or exclude specific tags.

  • Select Custom Rules.
  • Choose a custom rule category for your new rule.
  • Complete the rest of the form for the rule category you selected.

    Rule preview shows you how your rule looks as you build it.

  • When you finish, click Save.

Your new rule appears in Customer Rules List and in Custom Category.

Select Custom Category to add the new rule to your new policy.

For more information on managing and creating policies, see Policies.