Private Locations Image Scan Requirements
1 Introduction
This document is targeted at those responsible for security auditing on Customer sites.
BlazeMeter performs scans of all images and components with every release and schedules fixing of discovered vulnerabilities according to published Service Level Agreements (SLAs) and our internal SSDLC (Secure Software Development Lifecycle) Policy. Internal security auditors or anyone at a Customer site who follows up on Security has the option to conduct their own additional vulnerability scans and provide those results to BlazeMeter. We require a way to accept and respond to the results of any externally conducted scans, therefore, certain requirements need to be met. These requirements are described in this document.
Follow these requirements for BlazeMeter engineering to be able to consider scans that are submitted.
2 Images
BlazeMeter accepts only external scans for images of agents that are installed on your Private Location. You must enable only capabilities that you will use in the Private Locations settings.
To stay up to date on the latest released versions of images, subscribe to the RSS feed specified in the Enable RSS Subscription for Image Updates article.
You can check the version of the installed images on a Private Location agent by executing the following command from a command prompt on the Private Location agent host:
> sudo docker images
You can also use the BlazeMeter Private Location Image Versions API to obtain the version of images installed on a specific Private Location agent and their exact version number.
Enable auto update to update the agents of a Private Location to the latest Docker images. To check whether auto updates are enabled for Private Locations, use the following API:
curl 'https://a.blazemeter.com/api/v4/private-locations/${harborId} --user '${api_key}:${api_secret}' | jq '.result.ships[].isAutoUpadate'
Scan reports must contain explicit version numbers, please do not use labels like “latest”.
3 Image Version Support and Backwards Compatibility
Images and components within images are supported only for the latest dot version of any component, the two previous dot versions, and for all dot versions of components released within the last two months. In addition, BlazeMeter ensures backwards compatibility for dot versions that fall into this definition.
For example, if the current version of a component is 2.6.42, then 2.6.42, 2.6.41, and 2.6.40 are supported. If for example 2.6.39 was released within the last two months, then it would also be supported. Or in a major version release, such as, when version 2.7.1 is released as the next version after 2.6.42, then 2.7.1, 2.6.42, and 2.6.41 are supported.
4 Allowed Scanning Tool and Settings
Only scan results from Palo Alto Prisma Cloud (formerly TwistLock) configured with the default settings are accepted.
In addition, any vulnerabilities without a published fix must be excluded from the results.
BlazeMeter’s docker images are based on Ubuntu and Alpine Linux distributions. Settings of Palo Alto Prisma Cloud must be configured accordingly.
Here is a list of components with their base Linux distributions:
| Crane |
Alpine |
| charmander |
Ubuntu |
| taurus-cloud (v4) | Ubuntu |
| proxy-recorder | Alpine |
| apm-image (apm) |
Alpine |
| service-mock (Service Virtualization) | Alpine |
5 Vulnerabilities
Vulnerabilities detected by automated image scans must be reviewed by BlazeMeter Engineering before officially being accepted because image scans commonly result in false positives. Critical or High severity vulnerabilities are fixed according to their respective SLAs (Please contact your CSM for more information on specific SLA details). Timelines for fixes of vulnerabilities of 3rd party components are dependent on the provider of said components.
6 Scan Results
To report vulnerabilities detected by a scan, please open a ticket with BlazeMeter support and attach a copy of the scan results to the ticket.