Skip to content

Re-Scanning Old Image Tags

In the past, when an image’s tag was changed in hardening_manifest.yaml, the old tag was never scanned again.

Now, the POPs team has added a new feature to the nightly build and the ironbank-pipeline that allows old image tags to be re-scanned. As of March 25, 2025, we are constantly scanning all images used in the latest 3 Big Bang releases. Other images will also be added to the list as we expand capabilities.

How It Works:

  1. The old tags are pulled from the published registry.
  2. They are scanned for security issues.
  3. The scan results are posted to VAT (Vulnerability Assessment Tool).
  4. Their attestations are replaced with updated information.

This means customers can now see the latest CVE (Common Vulnerabilities and Exposures) details for images that are no longer actively maintained by the Iron Bank team.