Tracking Vulnerability Burndown in Container Images for RMF
To track the vulnerability burndown of images using scans, you note the open vulnerabilities based on the image tag. And track this over time. Images are not patched “in place” like workstations, servers, or virtual machines. To improve vulnerability scans and create a more secure image, you update your base image. Update your code and components. Then regenerate the image from that. And update the tag incrementally based on your process and structure.
In OpenRMF Professional v2.12 coming out May 2025, you can automatically track your image vulnerability burndown over time. Just like you do with your patch vulnerabilities, software vulnerabilities, and checklist compliance vulnerabilities. Upload your image vulnerability scans (Trivy, Grype, Amazon ECR, JFrog CLI, generic) and let us do the work for you!
Tracking Vulnerabilities in General
For your normal operating system patches, you scan your machines or devices. Then patch based on what you find and what is available. Then re-scan your machines and note the differences. And you note what is the same, what is closed out, and what new ones were found based on updated patch definitions and findings. And you track this over time.
You perform a similar process for compliance checklists, doing your compliance scans (SCAP, Audit Compliance, Manual) and update compliance checklists. These vulnerabilities get tracked over time historically as well.
And of course, you already automated all this tracking, creation, history, and artifact generation with OpenRMF Professional!
For container images it is similar. However, it is slightly different. You do a new tag of the image. Instead of your image repository name and tag soteriasoft.jfrog.io/openrmfpro/openrmfpro-web:2.11.02 being patched, you patch the base image you use (if any), recompile code and make a new soteriasoft.jfrog.io/openrmfpro/openrmfpro-web:2.11.03 in essence. Note the tag increased by 1 from 02 to 03.
Because of this standard process, you need a good way to track your vulnerability numbers over time to show progression down to as close to 0 as possible.
And this must be automated. You have enough other things to do.
Tracking your Image Vulnerabilities over Time
Enter OpenRMF Professional to do just that!
Load your Grype, Trivy, Amazon ECR, JFrog CLI or generic format scans (other native ones coming soon) and watch it do the work for you.
- track critical, high, medium, and low vulnerabilities
- update those based on the image tag
- list the vulnerabilities and CVEs to track automatically
- add to and update your plan of action and milestones (POAM) based on those scans
Use of images and containers to run software locally and in cloud providers is becoming more standard. And with the DoD SWFT process requiring quick vulnerability scans, software bill of materials (SBOM) and other information to quickly assess software for provisional approval, you must have an automated way to do all of this.
And have it structured toward RMF, FedRAMP or whatever cyber compliance framework they come up with next. While ensuring your whole team knows exactly where you stand BEFORE you send it off for assessment. So you already know what the outcome should be.
OpenRMF Professional was built to handle this for you years ago. We saw this coming and knew we all needed to have an automated solution for it.
See OpenRMF Professional for Yourself
Want to learn more on how we are solving this cyber compliance workload problem through automation? Check out our demo site.
Get a live interactive demo with our technical team.
Or download and evaluate for yourself with our software, documentation, and online video training site.
See for yourself how we can help your team automate cyber compliance!
