🔴 Container Image Compliance Violations - 1 images

🔴 Container Image Compliance Violations

Your project has 1 container images that violate the 365-day retention policy.

Summary

• Ancient Images (>365 days): 1
• Critical Images (180-365 days): 0
• Risk Level: CRITICAL
• Compliance Status: ❌ Non-Compliant

Violating Images

Image	Age (days)	Risk Level	Last Updated	Action Required
registry.gitlab.com/haynes/jacoco2cobertura:1.0.9	1160	🔴 Ancient	2022-09-09	Remove or rebuild immediately

Compliance Impact

These violations affect multiple compliance frameworks:

• ❌ NIST Cybersecurity Framework - Asset Management (ID.AM)

  • Requirement: Maintain current inventory and remove outdated assets

• ❌ CIS Docker Benchmark - Control 4.6

  • Requirement: Ensure old containers are removed

• ❌ PCI-DSS - Control 6.2

  • Requirement: Ensure all system components are protected from known vulnerabilities

• ❌ SOC 2 Type II - CC6.1

  • Requirement: Remove unnecessary software and maintain current versions

• ❌ ISO 27001 - A.12.6.1

  • Requirement: Management of technical vulnerabilities

• ⚠️ Potential Audit Findings: These violations may result in findings during PCI-DSS, SOC 2, or ISO 27001 audits

Security Risks

Why old container images are dangerous:

1. Known Vulnerabilities: Images older than 180 days likely contain known CVEs
2. Unpatched Dependencies: Base images and libraries are outdated
3. Attack Surface: Each old image increases the attack surface
4. Compliance Violations: Fails multiple security frameworks
5. Audit Findings: May result in compliance audit failures

Required Actions

Immediate (This Week)

1. Review Ancient Images (1 images)

   • Verify if still in use in production
   • Document business justification if must be retained
   • Remove unused images immediately

2. Check Deployment Status

   # Check if image is deployed
   kubectl get pods --all-namespaces -o jsonpath='{..image}' | tr -s '[[:space:]]' '\n' | grep <image-name>

Short-term (This Month)

3. Rebuild Critical Images (0 images)

   • Update to latest base images
   • Rebuild with current dependencies
   • Update CI/CD pipelines

4. Implement Automated Scanning

   • Add image scanning to CI/CD pipeline
   • Set up automated vulnerability alerts
   • Configure image retention policies

Long-term (This Quarter)

5. Establish Governance
   • Create image lifecycle policy
   • Set up monthly automated rebuilds
   • Implement image promotion strategy (dev → staging → prod)
   • Schedule quarterly compliance reviews

Remediation Steps

Option 1: Remove Unused Images

# If image is not deployed anywhere
docker rmi <image-name>
# Or via registry API
curl -X DELETE <registry-url>/v2/<image-path>/manifests/<digest>

Option 2: Rebuild Images

# Update Dockerfile with latest base image
FROM ubuntu:24.04  # Instead of ubuntu:20.04

# Rebuild
docker build -t <image-name>:latest .
docker push <image-name>:latest

Option 3: Document Exception

If image must be retained for business reasons:

1. Document justification in this issue
2. Add compliance-exception label
3. Schedule rebuild within 30 days
4. Get approval from security team

Resources

• 📊 Full Compliance Report
• 📖 Container Image Best Practices
• 🔒 CIS Docker Benchmark
• 📋 NIST Cybersecurity Framework

Questions?

Contact the Security Team:

• Slack: #security
• Email: security@canadalife.com

---

This issue was automatically created by the Container Registry Compliance Scanner. Report Date: 2025-11-12 22:27 UTC Project: haynes/jacoco2cobertura