Findings Verified
Note: All approvals are deprecated, Iron Bank does not "approve" containers for use.
Simplyfing approvals terminology
In an effort to continually improve Iron Bank, we have listened to your feedback and have simplified the image statuses. The previous image statuses and terminology was causing a lot of confusion amongst users and we have simplified it down to one term: Findings Verified. Keep reading to find out more about this new update.
More About Findings Verified
Image Status
All previously exisiting Image Statuses (Approved, Conditionally Approved, Verified, Unverified) and container expirations have been removed.
Iron Bank now uses a single Findings Verified: XX% status. The percentage is based on the number of findings that have been verified over the total. For images that do not have any findings, an image will score 100%. Hardening requirements that are not captured in the Vulnerability Assessment Tracker (VAT) as findings are reviewed on initial and subsequent pull requests, so they do not impact this score.
For a finding to be verified, an Iron Bank team member must manually review the finding, its designation, and the submitted justification within an Iron Bank image.
Goals and Motivations
We made this change for a few reasons. Feedback from multiple users stated that the previous terminology was confusing and difficult to understand (Approved, Conditionally Approved, Verified, Unverified). With this in mind, we decided to simplify it to one term, Findings Verified.
Container reviews have been point-in-time and have not required to be reverified. With the previous statuses, images could be approved/verified with many new findings unreviewed. Findings Verified creates a system that requires these findings to be manually reviewed and will soon set expirations on the findings to be reverified (see Coming Soon below for more information).
What This Change Affects
Its important to keep in mind that the Findings Verified score does not neccessarily mean the container is good, but it does show if an Iron Bank team member manually reviewed the present findings, their designations, and the submitted justifications within an Iron Bank image. Iron Bank strives to give users tools to better understand the potential risks their program may assume by using a container, we do not aim to say if a container should be used or not.
For more information, join our weekly Ask Me Anythings.
Coming Soon
Reverified
Findings will need to be reverified within a certain timeframe based on their serverity as shown in the chart below. Findings that have not been reverified lose their verification status.
Previously, container reviews were point-in-time and were not required to be reverified. Images could be approved/verified with many new findings unreviewed. Findings Verified creates a system that requires these findings to be manually reviewed.
| Severity | Reverification |
|---|---|
| Critical | 90 days |
| High | 180 days |
| Medium | 365 days |
| Low | N/A |
