Sample public image scan with compliance check

Public image scan

The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.

The policy in this example is set to only consider Critical severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.


This example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.

In this example, the scan does the following (currently):

  • Finds all 223 of the CVEs.
  • Ignores any CVEs with severities that are not critical.
  • Indicates in the Status.Conditions that 21 CVEs have violated policy compliance.

Define the ScanPolicy and ImageScan

Create sample-public-image-scan-with-compliance-check.yaml:

kind: ScanPolicy
  name: sample-scan-policy
    '': 'enable-in-gui'
  regoFile: |
    package main

    # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
    notAllowedSeverities := ["Critical"]
    ignoreCves := []

    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }

    isSafe(match) {
      severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
      some i
      fails := contains(notAllowedSeverities, severities[i])
      not fails

    isSafe(match) {
      ignore := contains(ignoreCves,

    deny[msg] {
      comps := { e | e := } | { e | e :=[_] }
      some i
      comp := comps[i]
      vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
      some j
      vuln := vulns[j]
      ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
      not isSafe(vuln)
      msg = sprintf("CVE %s %s %s", [,, ratings])

kind: ImageScan
  name: sample-public-image-scan-with-compliance-check
    image: "nginx:1.16"
  scanTemplate: public-image-scan-template
  scanPolicy: sample-scan-policy

(Optional) Set up a watch

Before deploying, set up a watch in another terminal to view the process:

watch kubectl get scantemplates,scanpolicies,sourcescans,imagescans,pods,jobs

For more information about setting up a watch, see Observing and Troubleshooting.

Deploy the resources

kubectl apply -f sample-public-image-scan-with-compliance-check.yaml

View the scan results

kubectl describe imagescan sample-public-image-scan-with-compliance-check

The Status.Conditions includes a Reason: EvaluationFailed and Message: Policy violated because of 21 CVEs.

For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.

Modify the ScanPolicy

To modify the Scan Policy, see Step 5: Sample Public Source Code Scan with Compliance Check.

Clean up

To clean up, run:

kubectl delete -f sample-public-image-scan-with-compliance-check.yaml
check-circle-line exclamation-circle-line close-line
Scroll to top icon