US 12,223,055 B2
System and method for performing hierarchical and incremental workload scanning
Ohad Tanami, Old City Jerusalem (IL); and Itay Harush, Jerusalem (IL)
Assigned to CHECK POINT SERVERLESS SECURITY LTD., Tel Aviv (IL)
Filed by CHECK POINT SERVERLESS SECURITY LTD., Tel Aviv (IL)
Filed on Jun. 8, 2022, as Appl. No. 17/835,066.
Prior Publication US 2023/0401319 A1, Dec. 14, 2023
Int. Cl. G06F 21/55 (2013.01); G06F 21/54 (2013.01); G06F 21/56 (2013.01); G06F 21/57 (2013.01)
CPC G06F 21/577 (2013.01) [G06F 21/54 (2013.01); G06F 21/554 (2013.01); G06F 21/568 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method executed by processor circuitry for performing hierarchical and incremental scanning to identify security issues in a workload executed using a set of electronic resources, the method comprising:
identifying with the processor circuitry at least one instance of the workload;
for each of the identified at least one instance, using the processor circuitry to perform hierarchical and incremental scanning by:
identifying as parent machine images one or more machine images that the instance originated from, wherein:
the parent machine images and the instance have a hierarchical tree structure as a set of related and connected nodes;
each of the nodes in the hierarchical tree structure represents one of the parent machine images or the instance;
a volume of the instance includes the entire content of each identified parent
machine image, wherein a volume of each identified parent machine image includes at least a portion of the volume of the instance; and
each of the nodes in the hierarchical tree structure is at least one of:
connected to one or more child nodes of the nodes in the hierarchical tree structure as a parent node, such that the one or more child nodes originated from the parent node; or
connected to a parent node of the nodes in the hierarchical tree structure as a child node, such that the child node originated from the parent node;
determining from the parent machine images a base machine image by identifying from amongst the parent machine images a parent machine image that:
has previously been scanned to identify security vulnerabilities; and
is most closely related to the instance according to the hierarchical tree structure;
identifying differences between a-the volume of the instance and the content of the base machine image;
scanning the identified differences for security vulnerabilities; and
when security vulnerabilities are identified in the differences, issuing a notification based on the identified security vulnerabilities.