Defining path to container images

To start scanning, the solution needs to determine the path to the container images that need to be scanned. The path to container images can be specified in two ways:

• By specifying an image tag after the registry name, repository name, and image name. The tag is a changeable and easy-to-read description of the image.

  In this case, the path looks as follows: <registry>/<repository>/<image name>:<tag>. For example, http://docker.io/library/nginx:1.20.1.

• By specifying an image digest after the registry name, repository, and image name. A digest is an integral internal property of an image, specifically a hash of its contents (the SHA256 hash algorithm is used).

  When using a digest, the path is formed as follows: <registry>/<repository>/<image name><digest>. For example, http://docker.io/library/nginx@sha256:af9c...69ce.

A tag can match different digests, whereas digests are unique for each image.

Depending on the method used to specify the image path, Kaspersky Container Security performs one of the following actions before scanning:

• Converts the tag to a trusted digest.
• Checks whether the digest specified in the image path is trusted. A digest is considered trusted if it ensures the required degree of confidence in maintaining the desired protection relative to the object encoded using the hash algorithm.

Only trusted digests are sent to the container runtime.

Before running a container, the content of the image is compared with the received digest. To recognize a digest as trusted and the image as not corrupted, Kaspersky Container Security checks the integrity and authenticity of the image signature.