Oracle Cloud Infrastructure Documentation

Using the Cloud Guard Vulnerability Scanning Detector Rules

Configure and use Cloud Guard to monitor security problems detected in Vulnerability Scanning.

Enable Cloud Guard and create at least one Cloud Guard target, if the service isn’t already enabled. See Getting Started with Cloud Guard and Managing Cloud Guard Targets.

Before using Cloud Guard, at least one Vulnerability Scanning target must exist before the Vulnerability Scanning service creates any reports. These reports are used by the Cloud Guard detector. See Managing Targets.

Note

Cloud Guard targets are separate resources from Vulnerability Scanning targets. To use Cloud Guard to detect problems in Vulnerability Scanning reports, the Vulnerability Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

To view Vulnerability Scanning problems in Cloud Guard:

  1. If you created a custom configuration detector recipe in Cloud Guard, verify that the Vulnerability Scanning detector rules are enabled in your recipe.

    All detector rules are automatically enabled in Oracle-managed recipes such as OCI Configuration Detector Recipe, and can't be disabled.

    1. From the Cloud Guard console, click Detector Recipes.
    2. Click your custom configuration detector recipe.
    3. Under Detector Rules, in the Filter by detector rule field, enter scan.
    4. Select the check boxes for the Vulnerability Scanning rules.
      • Scanned container image has vulnerabilities
      • Scanned host has vulnerabilities
      • Scanned host has open ports
    5. If these rules aren’t already enabled, click Enable.

    For more information, see Modifying a Detector Recipe.

  2. From the Cloud Guard console, click Problems.
  3. Click the name of a Vulnerability Scanning problem to view its details.
    • Scanned container image has vulnerabilities
    • Scanned host has vulnerabilities
    • Scanned host has open ports
    Tip

    To show only Vulnerability Scanning problems, set Filters to Labels = VSS (case-sensitive).

    Vulnerability Scanning problems include links to the corresponding Host Scans, Port Scans, and Container Image Scans.

    If no Vulnerability Scanning problems are displayed in Cloud Guard, then consider the following scenarios.

    • The Vulnerability Scanning service didn’t create any reports yet. The schedule (daily/weekly) is configured in the Vulnerability Scanning target.
    • You recently enabled Cloud Guard or the Vulnerability Scanning detector rules, and Cloud Guard hasn't run them yet.

    For more information, see Processing Reported Problems and Troubleshooting the Vulnerability Scanning service.