Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Container Scan Gating

Documentation

Container Scan Gating

arxsec-site / library/workflows/container-scan-gating/README.md

arxsec-site repo-root library/workflows/container-scan-gating/README.md

Gates container deployments based on Endor Labs scan results and Wiz posture checks. If critical reachable findings are detected, a Slack HITL approval is required before the deployment can proceed.

Maturity: L3-4 (Enforced to Governed)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~15 minutes per deployment of manual scan review and approval.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Endor Labs | scans:read, findings:read | Low — read-only | | Wiz | findings:read | Low — read-only | | Slack | chat:write, reactions:read | Medium — HITL deployment gate |

How It Works

  1. Receive a container image reference from the CI/CD pipeline.
  2. Query Endor Labs for scan results on that image.
  3. Check for critical findings with confirmed reachability.
  4. If critical reachable findings exist, request Slack HITL approval.
  5. Run a Wiz posture check on the container image.
  6. Return a pass/fail decision to the CI/CD pipeline.

ARX Governance

Risk Classification

  • scans:read, findings:read (Endor Labs) — Low. Read-only scan queries.
  • findings:read (Wiz) — Low. Read-only posture check.
  • chat:write / reactions:readMedium. HITL gate controls deployment flow.

HITL Gate Configuration

  • Operation: Deployment approval — required when critical reachable findings exist.
  • Channel: SLACK_DEPLOY_CHANNEL (configurable in arx.yaml).
  • Timeout: 30 minutes. If no approval is received, the deployment is blocked.
  • Approvers: Members of the security-team or platform-team Slack user groups.

Policy Rules

  • scans:read, findings:readpermit — automated, no approval needed.
  • Deploy with zero critical findings — permit — auto-approved.
  • Deploy with critical reachable findings — escalate — requires HITL approval.
  • Deploy with critical findings and failed Wiz posture — deny — blocked outright.

Audit Trail

  • Container image reference, tag, and registry.
  • Endor Labs scan ID, finding count, and reachability status.
  • Wiz posture check result and finding details.
  • HITL approval decision, approver identity, and timestamp.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure Endor Labs, Wiz, and Slack connectors.
  2. Set environment variables:
  • ENDOR_NAMESPACE, ENDOR_API_KEY
  • WIZ_CLIENT_ID, WIZ_CLIENT_SECRET, WIZ_API_URL
  • SLACK_BOT_TOKEN, SLACK_DEPLOY_CHANNEL
  1. Integrate with your CI/CD pipeline via webhook trigger.
  2. Deploy with arx deploy container-scan-gating.

Schedule

Event-driven — triggered by CI/CD pipeline webhook on each container build.