Containers FAQ

Containers

What is Armor Anywhere for containers?

Containers are a standardized unit or package of software that enables consistency when running applications from one environment to another. As more companies develop applications in the cloud or move platforms to microservices architecture, containers become a useful way to make that work happen. For more information on containers, please visit Docker's documentation.

Does Armor Anywhere for containers use the Armor Agent?

No. By the nature of container design, including its abstraction of the containerized application from the container host's operating system, the Armor Agent does not have visibility into the container images themselves. For this, you would instead configure a container sensor.

Besides using a sensor in conjunction with your container images, Armor recommends that you do install the Armor Agent on the container host themselves. This combination provides the maximum possible security value for your container-based workloads.

How am I charged for Armor Anywhere for containers?

Armor Anywhere for containers is priced based on the number of connectors you have configured. Current pricing can be found on the sign-up page within the Armor Management Portal (AMP).

Each connector configured requires a 12-month subscription. For example, when configuring a new connector today, it first appears on next month's invoice, then on monthly invoices going forward for the remainder of a calendar year.


Connectors

How many connectors will I need to configure?

Connectors are vendor-specific, meaning a connector you may define for Amazon ECR cannot be reused / shared with Azure, Google, or Docker Hub. In most cases, you will need just a single connector per vendor type. For example:

  • If you use registries in both Amazon and Azure, this would require two separate connectors.

  • Amazon permits one registry per account. If you use multiple AWS registries, each separate Amazon account would require a distinct connector.

When configuring a repository, are tags required?

Tags are required, as the Armor platform requires these to define scan baselines. In addition, you may have repositories you wish to keep want in scan scope.

Once a baseline has been established for a repository, any new commits will generate a new image ID, and those changes would be automatically picked up by the Armor platform.

There is an existing bug where image changes may not always be detected by the Armor platform. For example, you may add a new image to a repo, but after the overnight scan is complete, it does not show within AMP. Until fixed, the current workaround is to delete your AMP registry configuration, then recreate it with desired tags.

What is the scan lifecycle?

When a repository and its tags are newly-configured, the Armor platform will perform an initial scan known as the baseline.

In addition, each registry is enrolled in a daily recurring scan schedule. Once per day, between 12am UTC — 6am UTC, the Armor platform will rescan your repositories. Once complete, newly-detected images will be included in the AMP image catalog, and any newly-detected vulnerabilities will also be available for review.

At the moment, ad-hoc scanning is not yet supported. If you need more-immediate results and don't wish to wait, the current workaround is to delete your AMP registry configuration, then recreate it with desired tags.


Registries and Sensors

What is a sensor?

The container sensor is a Docker image, which you will deploy as a container alongside others on a container host. The sensor discovers and catalogs images within your configured container registries, scans for those which are vulnerable, and delivers its scan results to the Armor platform for reporting & remediation. The sensor container runs in non-privileged mode. It requires a persistent storage for storing and caching files.

Installing at least one sensor is a prerequisite to configuring your container registry.

 

What container registries are supported?

Armor Anywhere for containers supports the following public cloud container registries:

  • AWS Elastic Container Registry (ECR)

  • Azure Container Registry

  • Google Cloud Container Registry

  • Docker Hub

Limitation on Supported AWS Regions

For now, the following AWS Regions are not yet supported when configuring a Container Registry within the Armor platform:

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

  • US East (Ohio)


Data Lake

What is a data lake?

It is a centralized repository which allows storage of structured and unstructured data. In the case of Armor Anywhere for containers, it will house all vulnerabilities detected for your container images, in a format similar to what we also capture for VM hosts.

What can be done with the data lake?

The data lake can be used to see changes over time to reports, examine data related to specific controls or resources, or be used to create visualizations.


Containers Documentation

For Containers

Containers - Getting Started

Install and Manage

Containers FAQ