InsightVM not removing stale instances automatically

amishra · September 9, 2025, 2:40pm

Hi everyone,

I am finding it hard to keep up with the vulnerabilities of AMIs from Kubernetes nodes.

The unexpected behavior:
If the node has been removed IVM still shows the vulnerabilities from the previous node and someone has to delete it manually in IVM. This is a constant churn for us.

Help us find a scalable solution.

jingalsbe · September 11, 2025, 12:39pm

The solution I threw together was an Insight Connect workflow to pull these out every day, it’s not ideal, but it does a thing. This issue shouldn’t require customer innovation to solve though. It should be baked into the product.

spoola · September 15, 2025, 2:00pm

Can you pls help me step by step guide

brad_skrbec · September 15, 2025, 10:38pm

This also appears in the form of re-used IPs, especially when the following sequence happens:

An asset has a partially credentialed footprint.
Asset is removed and IP is reused for an asset that hasn’t been credentialed yet
InsightVM insists that the new asset has the footprint of the old asset, even if it has a relatively high confidence in the footprint. The onlly option is to delete the asset and rescan to reset.

I’m often seeing things that identified as Ubuntu, but are now definitively Rocky… and even though the footprint says with high confidence that it is Rocky, that is ignored for the old footprint and it is labeled as Ubuntu. This is sub-optimal to say the least.