Git Product home page Git Product logo

kubevuln's Introduction

Version build Go Report Card Gitpod Ready-to-Code GitHub CNCF Artifact HUB FOSSA Status OpenSSF Best Practices OpenSSF Scorecard Stars Twitter Follow Slack

Kubescape

Kubescape logo

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Key features of Kubescape include

  • Shift-left security: Kubescape enables developers to scan for misconfigurations as early as the manifest file submission stage, promoting a proactive approach to security.
  • IDE and CI/CD integration: The tool integrates seamlessly with popular IDEs like VSCode and Lens, as well as CI/CD platforms such as GitHub and GitLab, allowing for security checks throughout the development process.
  • Cluster scanning: Kubescape can scan active Kubernetes clusters for vulnerabilities, misconfigurations, and security issues
  • Multiple framework support: Kubescape can test against various security frameworks, including NSA, MITRE, SOC2, and more.
  • YAML and Helm chart validation: The tool checks YAML files and Helm charts for correct configuration according to the frameworks above, without requiring an active cluster.
  • Kubernetes hardening: Kubescape ensures proactive identification and rapid remediation of misconfigurations and vulnerabilities through manual, recurring, or event-triggered scans.
  • Runtime security: Kubescape extends its protection to the runtime environment, providing continuous monitoring and threat detection for deployed applications.
  • Compliance management: The tool aids in maintaining compliance with recognized frameworks and standards, simplifying the process of meeting regulatory requirements.
  • Multi-cloud support: Kubescape offers frictionless security across various cloud providers and Kubernetes distributions.

By providing this comprehensive security coverage from development to production, Kubescape enables organizations to implement a robust security posture throughout their Kubernetes deployment, addressing potential vulnerabilities and threats at every stage of the application lifecycle.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.

Demo

Please star โญ the repo if you want us to continue developing and improving Kubescape! ๐Ÿ˜€

Getting started

Experimenting with Kubescape is as easy as:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Learn more about:

Did you know you can use Kubescape in all these places?

Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.

Kubescape-operator Helm-Chart

Besides the CLI, the Kubescape operator can also be installed via a Helm chart. Installing the Helm chart is an excellent way to begin using Kubescape, as it provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. You can find the Helm chart in the Kubescape-operator documentation.

Kubescape GitHub Action

Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the GitHub Action marketplace.

Under the hood

Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. For image scanning, it uses Grype. For image patching, it uses Copacetic.

By default, the results are printed in a console-friendly manner, but they can be:

  • exported to JSON, junit XML or SARIF
  • rendered to HTML or PDF
  • submitted to a cloud service

It retrieves Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.

Architecture

kubescape

Otel collector - is not built-in, Otel endpoint spec is need to be added at setup Setting Otel

Community

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the cloud-native community and are enhancing the project as the ecosystem develops.

We hold community meetings on Zoom, every other week, at 15:00 CET. (See that in your local time zone.

The Kubescape project follows the CNCF Code of Conduct.

Adopters

See here a list of adopters.

Contributions

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.


Changelog

Kubescape changes are tracked on the release page

License

Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.

Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project and was contributed by ARMO.

CNCF Sandbox Project

kubevuln's People

Contributors

0xt3j4s avatar amirmalka avatar avrahams avatar bvolovat avatar daniel-grunbergerca avatar dependabot[bot] avatar matanshk avatar matthyx avatar rcohencyberarmor avatar refaelm92 avatar slashben avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

vladklokun harshitasao mahesh994565 itscheithanya mkilchhofer matanshk oshratn matthyx fossabot daniel-grunbergerca amirmalka slashben anubhav06 0xt3j4s yrs147 devopstoday11 abinash-bit siddhikhapare luis-pinto-fanduel

kubevuln's Issues

Vulnerability scan fails to verify private registry TLS client certificate

Description

When kubevuln attempts to scan an image stored in our private registry, specifically Harbor, it reports the following error...

{
    "level": "error",
    "ts": "2024-02-05T12:01:16Z",
    "msg": "service error - ScanCVE",
    "error": "error creating SBOM: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: Get \"https://harbor.dev.xxxx.xxxx.internal/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority",
    "wlid": "wlid://cluster-kube-xxx-xxx-xxx/namespace-xxxx/deployment-xxxx",
    "imageSlug": "harbor.dev.xxxx.xxxx.internal-support-xxxx-latest-88c2a8",
    "imageTag": "harbor.dev.xxxx.xxxx.internal/support/xxxx:latest",
    "imageHash": "harbor.dev.xxxx.xxxx.internal/support/xxxx@sha256:2c197e390019ec47c8ec4aa795430dc3b0055bf7624efca6be826f94e788c2a8"
}

Environment

OS: Ubuntu 22.04.3 LTS
Version: kubevuln v0.3.1

Steps To Reproduce

  1. Deploy kubescape-operator Helm chart v1.18.1 (kubescape v3.0.3)
  2. Scan image from private registry via HTTPS

Expected behavior

Unable to find Helm configuration setting to either add specific TLS Root CA certificate (as a Kubernetes TLS secret), or allow insecure HTTPS connections to Harbor private registry, something similar to --tls.verify=false.

Actual Behavior

Error reported shown above.

Additional context

None

Error running kubevuln

Cluster has relevancy beta installed and I assume the scan was either triggered by me restarting a deployment to test to see if anything was generated, or by me hitting "Scan" in the ARMO UI when it seemed like nothing happened.

2023-05-23 21:12:50 {"level":"info","ts":"2023-05-23T20:12:50Z","msg":"starting server"}
2023-05-23 21:12:51 {"level":"info","ts":"2023-05-23T20:12:51Z","msg":"updating grype DB"}
2023-05-23 21:12:57 {"level":"info","ts":"2023-05-23T20:12:57Z","msg":"grype DB updated"}
2023-05-23 21:31:22 {"level":"info","ts":"2023-05-23T20:31:22Z","msg":"scan started","imageID":"docker://sha256:2edf9c994f199aecfea940f65e2582eea072a6c2e2a747db5af3933a77a8ce46","jobID":"7f7cd5fb-2527-46e0-b237-b42cc7fd7430"}
2023-05-23 21:31:22 panic: runtime error: index out of range [3] with length 0 [recovered]
2023-05-23 21:31:22     panic: runtime error: index out of range [3] with length 0 [recovered]
2023-05-23 21:31:22     panic: runtime error: index out of range [3] with length 0
2023-05-23 21:31:22 
2023-05-23 21:31:22 goroutine 1058 [running]:
2023-05-23 21:31:22 go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.func1()
2023-05-23 21:31:22     /go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:383 +0x2a
2023-05-23 21:31:22 go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0xc0005ea000, {0x0, 0x0, 0x23100f0bb927f753?})
2023-05-23 21:31:22     /go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:421 +0x942
2023-05-23 21:31:22 panic({0x2424280, 0xc0005e2078})
2023-05-23 21:31:22     /usr/local/go/src/runtime/panic.go:884 +0x212
2023-05-23 21:31:22 go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.func1()
2023-05-23 21:31:22     /go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:383 +0x2a
2023-05-23 21:31:22 go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0xc000265980, {0x0, 0x0, 0xc000b2f598?})
2023-05-23 21:31:22     /go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:421 +0x942
2023-05-23 21:31:22 panic({0x2424280, 0xc0005e2078})
2023-05-23 21:31:22     /usr/local/go/src/runtime/panic.go:884 +0x212
2023-05-23 21:31:22 github.com/kubescape/kubevuln/repositories.hashFromImageID({0xc000bf40a0, 0x50})
2023-05-23 21:31:22     /work/repositories/apiserver.go:64 +0xb2
2023-05-23 21:31:22 github.com/kubescape/kubevuln/repositories.(*APIServerStore).GetCVE(0xc000500300, {0x2eba4b0, 0xc000aa82d0}, {0xc000bf40a0, 0x50}, {0x2f766d3, 0x7}, {0x2f7651c, 0x7}, {0xc000f8ea00, ...})
2023-05-23 21:31:22     /work/repositories/apiserver.go:78 +0x245
2023-05-23 21:31:22 github.com/kubescape/kubevuln/core/services.(*ScanService).ScanCVE(0xc0000ca300, {0x2eba4b0, 0xc0002c4a20})
2023-05-23 21:31:22     /work/core/services/scan.go:111 +0x6f8
2023-05-23 21:31:22 github.com/kubescape/kubevuln/controllers.HTTPController.ScanCVE.func1()
2023-05-23 21:31:22     /work/controllers/http.go:106 +0x5e
2023-05-23 21:31:22 github.com/gammazero/workerpool.worker(0x1?, 0x2?, 0x0?)
2023-05-23 21:31:22     /go/pkg/mod/github.com/gammazero/[email protected]/workerpool.go:237 +0x2a
2023-05-23 21:31:22 created by github.com/gammazero/workerpool.(*WorkerPool).dispatch
2023-05-23 21:31:22     /go/pkg/mod/github.com/gammazero/[email protected]/workerpool.go:197 +0x2dd

Generation of VEX documents by the Kubescape relevancy engine

Overview

Kubescape calculates the relevancy of container image vulnerabilities by monitoring using eBPF the application behavior and produces a filtered list of vulnerabilities. Today the results are stored in the same format as the vulnerabilities, however the VEX seems to be a much better choice to store and publish this information. Kubescape needs to publish the filtered list of vulnerabilities in a VEX format.

Solution

In the current state, the Kubevuln is watching the filtered SBOM objects, every time a new object is created or updated a filtered SBOM is created by the node-agent with only those modules that were loaded into the memory.

When a new filtered SBOM is available, the Kubevuln translates the SBOM to vulnerability list using Grype to create a filtered vulnerability list.

In the same step when the filtered vulnerability is created, Kubevuln should generate a VEX object. The object contains statements that all these vulnerabilities are loaded into the memory therefore they're relevant. This object should be stored as an API objects another vulnerability related.

See more at here

cc: @craigbox @puerco

[question] can't load config file using `CONFIG` env

Description

As mentioned in the README, we can load config file using the CONFIG env.
However, we are unable to load config file path using the CONFIG environment variable.
Kubevuln always defaults to searching the config file in the /etc/config path, even when we define a new path in the CONFIG env.

In order to run kubevuln:

  • We either add the config file named clusterData.json in the path /etc/config, the default path where kubevuln searches for it.
  • Or, we explicitly define a new path in the code here, where we want Kubevuln to search for the config file named clusterData.json, build kubevuln and then run it

If we follow any of the above 2 steps, then I am able to run it locally

Environment

OS: Ubuntu 20.04.4 LTS

Steps To Reproduce

Method 1:

  1. Build kubevuln using make
  2. Load config file using the CONFIG environment variable
    export CONFIG=path/to/clusterData.json

Method 2:

  1. Build the Docker image from the Dockerfile and run it using:
    docker run <kubevuln-built-image-name> -e CONFIG=path/to/clusterData.json

Additional Context

Is this an expected behavior or am I missing something?

service error - ScanCVE, error creating SBOM

Description

Service error - ScanCVE, error creating SBOM, error as below:

{
  "level": "error",
  "ts": "2024-08-20T07:47:58Z",
  "msg": "service error - ScanCVE",
  "error": "error creating SBOM: errors occurred attempting to resolve 'docker-upstream.AABBCC.com/istio/proxyv2@sha256:2f112f92629576':\n - docker: docker not available: failed to connect to Docker daemon. Ensure Docker is running and accessible\n - podman: podman not available: no host address\n - containerd: containerd not available: no grpc connection or services is available: unavailable\n - oci-registry: failed to get image descriptor from registry: Get \"https://docker-upstream.AABBCC .com/v2/\": Internal Server Error\n - additionally, the following providers failed with file does not exist: docker-archive, oci-archive, oci-dir, singularity, oci-dir, local-file, local-directory",
  "wlid": "wlid://cluster-arn-aws-eks-region-AWSACCOUNT-cluster-CLUSTERNAME/namespace-blobstore/deployment-gateway",
  "imageSlug": "docker-upstream.AABBCC.com-istio-proxyv2-1.22.2-distroless-629576",
  "imageTag": "docker-upstream.AABBCC.com/istio/proxyv2:1.22.2-distroless",
  "imageHash": "docker-upstream.AABBCC.com/istio/proxyv2@sha256:2f454292629576"
}

Environment

OS: AmazonLinux2
Version: 0.3.25

Steps To Reproduce

helm repo add kubescape https://kubescape.github.io/helm-charts/ ; 
helm repo update ; 
helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.continuousScan=enable --set kubevuln.verbose=true

Expected behavior

No error appear.

Actual Behavior

Error as below:

{
  "level": "error",
  "ts": "2024-08-20T07:47:58Z",
  "msg": "service error - ScanCVE",
  "error": "error creating SBOM: errors occurred attempting to resolve 'docker-upstream.AABBCC.com/istio/proxyv2@sha256:2f112f92629576':\n - docker: docker not available: failed to connect to Docker daemon. Ensure Docker is running and accessible\n - podman: podman not available: no host address\n - containerd: containerd not available: no grpc connection or services is available: unavailable\n - oci-registry: failed to get image descriptor from registry: Get \"https://docker-upstream.AABBCC .com/v2/\": Internal Server Error\n - additionally, the following providers failed with file does not exist: docker-archive, oci-archive, oci-dir, singularity, oci-dir, local-file, local-directory",
  "wlid": "wlid://cluster-arn-aws-eks-region-AWSACCOUNT-cluster-CLUSTERNAME/namespace-blobstore/deployment-gateway",
  "imageSlug": "docker-upstream.AABBCC.com-istio-proxyv2-1.22.2-distroless-629576",
  "imageTag": "docker-upstream.AABBCC.com/istio/proxyv2:1.22.2-distroless",
  "imageHash": "docker-upstream.AABBCC.com/istio/proxyv2@sha256:2f454292629576"
}

Additional context

Security Slam 2023 umbrella issue

CLOMonitor report

Summary

Repository: kubevuln
URL: https://github.com/kubescape/kubevuln
Checks sets: CODE
Score: 82

Checks passed per category

Category Score
Documentation 100%
License 100%
Best Practices 63%
Security 67%
Legal n/a

Checks

Documentation [100%]

License [100%]

Best Practices [63%]

Security [67%]

  • Binary artifacts (docs)
  • Code review (docs)
  • Dangerous workflow (docs)
  • Dependencies policy (docs) CHECK FAILED
  • Dependency update tool (docs)
  • Maintained (docs)
  • Software bill of materials (SBOM) (docs)
  • Security insights (docs) CHECK FAILED
  • Security policy (docs)
  • Self-Assessment (docs) CHECK FAILED
  • Signed releases (docs)
  • Token permissions (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.