Description:

As a security engineer using ACS, I want to reduce the security risk of my teams using untrusted base images to build their container images upon. DevOps teams will not be permitted to use container images whose base is outside of an approved list.

Further, my security team will maintain base image components and vulnerability management, and supply updated base images for DevOps to use. DevOps should not be responsible for vulnerabilities in base image layers.

I would like to:

• Define what a base image means in my organization. (image:tag, SHAs, etc)
• restrict the base images my teams can use, and provide appropriate policy notifications and enforcement when teams deviate from the restricted list
• keep my list of approved base images up to date, and enforce the use of newer versions of base images through notification and enforcement
• ensure that a base image layer cannot be used, even if it were previously approved, if it's older than a certain age
• be able to filter and search for the use of particular base images

In order to manage vulnerabilities in base image layers I would like to:

• Maintain updated vulnerability data for all trusted base images, even if the image is not directly used in a Deployment
• Distinguish, in policy criteria, vulnerabilities that are found in a base image layer versus "other" layers, with notifications and enforcement appropriately
• Distinguish in policy criteria the "layer age" of the base layer, separate from the overall "image age" that is currently available
• Trigger notifications when a base image layer is removed from an approved list, sent to configured integrations for running deployments that use the now-unapproved base.

Goal Summary:

In ACS clearly identify, for a container image, which CVEs are detected in container base image layers and which CVEs are detected in layers added on top of a base image. 

Goals and expected user outcomes:

• Security teams can clearly identify and communicate with appropriate stakeholders on which CVEs were identified in image base image layers and which were detected in layers added on top.

Acceptance Criteria:

• Based on base image SHA ACS can clearly identify which container images come from base image and which are added on top 
• ACS can clearly identify, display and report on which CVEs come from container base image and which are identified from layers added on top

Success Criteria or KPIs measured:

Feature usage statistics

Out-of-Scope:

Policy implementation to support this feature.