Vulnerability Scanning Container Directory Exclusion

Summary 

Directories that store container image layers will be excluded by default from vulnerability scanning for Tenable Vulnerability Management, Security Center and Nessus.  The directories that will be excluded are those configured for container storage by the container management solution.

Docker: The "Docker Root Dir:" as returned by the "docker info" command. This is /var/lib/docker by default.

Podman: The "graphRoot:" as returned by the "podman system info" command.  This defaults to /var/lib/containers/storage.

containerd: The "root =" directory as returned by the "containerd config dump" and "containerd config default commands.  This location is /var/lib/containers/storage by default.

CRI-O: The "storage graph root:" as returned by running "crio status info".  This location is /var/lib/containers/storage by default. 

What is the impact?

Vulnerabilities previously detected as a result of scanning these directories will become mitigated on the next scan and findings not returned in future scans. These findings are a result of examining the container image layers on the filesystem. The container may not necessarily be running and represent risk to your organization and customers generally consider these results as false positives since they are managed Docker deployments. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation.

Recursively scanning these directories is a resource and time consuming process.  The exclusion of the directories may also result in decreased scan times.

Can I override the change?

You could add an Include Filepath rule to your scan configuration in order to override the default exclusion behavior. This may be found under the Scan Policy Advanced Options.  A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container.

In order to include a directory that is automatically excluded, the user include filepath has to match the excluded directly exactly.  Example:  If your Docker configuration uses /var/lib/docker for container storage you would add /var/lib/docker to your user filepath inclusions.  Adding a more or less specific location will have no effect.

What are the affected plugins? 

At the time of this release highlight publication, the following plugins are leveraging find:

• 142023 - Apache Cassandra Installed (Linux)
• 133766 - Apache Maven Installed (Linux / Unix)
• 135172 - Oracle NoSQL Database Installed (Linux)
• 117706 - MagniComp SysInfo Installed (Linux/UNIX)
• 111679 - FasterXML Jackson Databind Detection for Linux/UNIX
• 112063 - Kubernetes Installed (Linux)
• 136340 - nginx Installed (Linux/UNIX)
• 131566 - Atlassian Jira Installed (Unix / Linux)
• 147817 - Java Detection and Identification (Linux / Unix)
• 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux)
• 132872 - Foxit Reader Installed (Linux)
• 174788 - SQLite Local Detection (Linux)
• 151883 - Libgcrypt Installed (Linux/UNIX)
• 99671 - Apache Struts Detection for Linux/UNIX
• 156000 - Apache Log4j Installed (Linux / Unix)
• 141394 - Apache HTTP Server Installed (Linux)
• 71642 - Oracle Installed Software Enumeration (Linux / Unix)
• 156551 - Oracle MySQL Enterprise Monitor Installed (macOS)
• 124276 - Oracle Tuxedo Installed (Linux/UNIX)
• 73913 - Oracle WebLogic Server Detection
• 133962 - Sophos Anti-Virus Installed (Linux)
• 186361 - VMWare Tools or Open VM Tools Installed (Linux)
• 187057 - OwnCloud OwnCloud Installed (Linux)
• 70349 - Adobe Acrobat Installed (Mac OS X)
• 72202 - JBoss Detection
• 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux)
• 163488 - Terraform Configuration Detection for Linux/UNIX
• 77028 - IBM Installation Manager Detection (Linux / Unix)
• 145032 - IBM WebSphere eXtreme Scale (Linux)
• 144633 - IBM MQ Server and Client Installed (Linux)
• 136341 - Dell EMC Data Protection Central Installed (Linux)
• 133964 - SELinux Status Check
• 159273 - Dockerfile Detection for Linux/UNIX
• 174164 - Google Protobuf Go Module Installed (Linux/UNIX)
• 158567 - Citrix Workspace App Installed (nix)
• 55420 - Adobe Reader Installed (Mac OS X)

Target Release Date

April 30, 2025