Vulnerability Scanning — Runtime Containers #
Control ID: SDLC-CTRL-0024 | Type: Detective
Summary #
Container images already running in production are periodically re-scanned for vulnerabilities, so that CVEs disclosed after deployment are detected against live workloads.
Description #
Build-time scanning (see SDLC-CTRL-0022 and SDLC-CTRL-0021) only catches vulnerabilities known at the moment an artefact was built. Because new CVEs are disclosed daily against packages that don’t change, an artefact can become vulnerable after it has already been deployed, without any new build or deployment taking place.
Runtime vulnerability scanning closes this gap by periodically re-scanning the artefacts that are actually running in production — as recorded by Kosli’s live environment inventory — rather than relying solely on the point-in-time scan performed at build.
Requirements #
- Artefacts running in production MUST be re-scanned for vulnerabilities on a recurring schedule, independent of build and deployment activity
- Runtime scanning MUST be driven from the actual live inventory of running artefacts, not from source or build records
- Runtime scan results MUST be recorded as attestations
- Newly disclosed vulnerabilities found in running artefacts MUST be classified by severity and tracked to resolution
- Runtime scan failures and expiring vulnerability exceptions SHOULD generate alerts to the appropriate response channels
How we implement this control #
- We run a daily scheduled Snyk Container scan against every artefact currently reported in our Kosli production environments, using the live environment snapshot (not the build record) to determine what to scan
- Scan results are recorded as Kosli attestations, both against the artefact’s own trail and in a dedicated periodic scanning flow used for trend and compliance reporting
- Scan failures and expiring
.snykignore policies are reported to our Slack channels for review
Compliance Frameworks #
NIST SP 800-53 Rev. 5
- RA-5 — Vulnerability monitoring and scanning — periodic re-scanning detects vulnerabilities disclosed after an artefact has already been deployed.
- SI-4 — System monitoring — continuous monitoring of running workloads for newly discovered vulnerabilities.
- CA-7 — Continuous monitoring — runtime scanning is part of the ongoing compliance monitoring strategy for deployed artefacts.
- SI-2 — Flaw remediation — vulnerabilities found in running artefacts must be triaged and remediated.
- CM-8 — System component inventory — runtime scanning is driven from the live inventory of artefacts recorded in the runtime environment.
SOC 2 Type II
- CC7.1 — Requires detection of vulnerabilities in system components; runtime scanning identifies vulnerabilities in artefacts already deployed to production.
- CC7.2 — Requires monitoring for anomalies indicative of security events; newly disclosed CVEs against running workloads are surfaced as they are detected.