Releases: aquasecurity/starboard
v0.12.0-rc1
Docker images
docker pull docker.io/aquasec/starboard:0.12.0-rc1docker pull public.ecr.aws/aquasecurity/starboard:0.12.0-rc1docker pull docker.io/aquasec/starboard-scanner-aqua:0.12.0-rc1docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.12.0-rc1docker pull docker.io/aquasec/starboard-operator:0.12.0-rc1docker pull public.ecr.aws/aquasecurity/starboard-operator:0.12.0-rc1
v0.11.0
Changelog
3613d41 chore(ci): Upgrade KIND from v0.9.0 to v0.11.1 (#651)
47c73dd chore(polaris): Rename properties to configure resource requirements and limits (#653)
d8a5e4e chore(polaris): upgrade polaris from v3.2 to v4.0 (#654)
c6e099e chore(trivy): Rename properties to configure resource requirements and limits (#649)
d14e28e chore(trivy): Upgrade from v0.16.0 to v0.19.2 (#656)
591ec52 chore: Bump up controller-runtime from v0.9.0 to v0.9.2 (#628)
0d612c1 chore: Bump up kube-bench from v0.5.0 to v0.6.3 (#630)
1425f26 chore: Remove deprecated CLI commands (#558)
4dace78 chore: Rename ConfigAuditResult to ConfigAuditReportData (#624)
ea6c60a chore: Rename VulnerabilityScanResult to VulnerabilityReportData (#625)
f0080b9 chore: Replace ORG_GITHUB_TOKEN secret with ORG_REPO_TOKEN (#597)
0f11ca6 chore: Update controller-runtime version from v0.7.2 to v0.9.0 (#620)
f465c1c chore: Upgrade controller-runtime from v0.9.2 to v0.9.5 (#657)
8a86fe4 chore: Use the same receiver name for Trivy plugin (#623)
431bdd5 feat(cli): Add pod template hash to vulnerability report (#599)
e6229a3 feat(cli): Run kube-bench on individual nodes (#549)
cc79d00 feat(conftest): Allow configuration of resource request and limits (#648)
72b99f1 feat(helm): Configure scanner pods tolerations and annotations (#605)
ffe3ed8 feat(polaris): Allow configuration of resource request and limits (#645)
969c7b6 feat(trivy): Allow configuration of resource request and limits (#639)
e1cb116 feat(trivy): Pass additional settings to Trivy client (#547)
ddc4a58 feat: Add PluginContext to vulnerability scan plugins (#600)
193dd7a feat: Add annotations to scan jobs spawned by Starboard (#588)
cd72228 feat: Add scope to config audit check (#626)
edb7522 feat: Add tolerations to vulnerability scan jobs (#586)
5885630 feat: Apply configurable tolerations to all kinds of scanners (#596)
7f590ba feat: Define ClusterConfigAuditReport (#622)
134b2f5 feat: Define interface for saving and finding ClusterConfigAuditReports (#643)
aaeff97 fix(cisbenchmark): Skip Windows nodes (#608)
932f453 fix: Add updateTimestamp property to Open API spec of VulnerabilityReport (#591)
fbdeff6 fix: Flaky CLI Integration Test (#593)
01a2700 refactor(cli): Use deterministic names for vulnerability scan jobs (#598)
8397fd2 refactor(trivy): Read config from starboard-trivy-config ConfigMap (#616)
e375660 refactor: Add PluginContext to ParseVulnerabilityReportData callback (#606)
8f97a54 refactor: Allow plugins to provide the default config (#611)
fd93a8c refactor: Define PluginConfig object (#602)
c322954 refactor: Move Trivy config utilities to trivy package (#607)
8815f5f refactor: Remove Aqua settings from generic starboard ConfigMap (#604)
ddf6f58 refactor: Remove config checkers settings from generic starboard ConfigMap (#603)
cc32bbb refactor: Rename CISKubeBenchOutput to CISKubeBenchReportData (#636)
ca3211b refactor: Rename kube.CR_Manager to cmd.Installer (#610)
Docker images
docker pull docker.io/aquasec/starboard:0.11.0docker pull public.ecr.aws/aquasecurity/starboard:0.11.0docker pull docker.io/aquasec/starboard-scanner-aqua:0.11.0docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.11.0docker pull docker.io/aquasec/starboard-operator:0.11.0docker pull public.ecr.aws/aquasecurity/starboard-operator:0.11.0
v0.11.0-rc1
Docker images
docker pull docker.io/aquasec/starboard:0.11.0-rc1docker pull public.ecr.aws/aquasecurity/starboard:0.11.0-rc1docker pull docker.io/aquasec/starboard-scanner-aqua:0.11.0-rc1docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.11.0-rc1docker pull docker.io/aquasec/starboard-operator:0.11.0-rc1docker pull public.ecr.aws/aquasecurity/starboard-operator:0.11.0-rc1
v0.10.3
Changelog
bd095bd fix: Handle legacy image pull secrets of type kubernetes.io/dockercfg (#577)
ce049b5 fix: Running Polaris on OpenShift fails (#578)
Docker images
docker pull docker.io/aquasec/starboard:0.10.3docker pull public.ecr.aws/aquasecurity/starboard:0.10.3docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.3docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.3docker pull docker.io/aquasec/starboard-operator:0.10.3docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.3
v0.10.2
Changelog
85af65f feat(Conftest): Upgrade Conftest from v0.23.0 to v0.25.0 and use --no-fail flag (#557)
472fd92 feat(trivy): Configure insecure image registries (#548)
f7d8d46 feat: Ensure default config should not create ConfigMap for Polaris when it is not chosen as plugin (#530)
9fd1bfa feat: Use deterministic names for Secrets created by Conftest plugin (#536)
e07bc9b chore: Upgrade OLM from v0.16.1 to 0.17.0 (#526)
cf2ef21 chore: Use the MKDOCS_AQUA_BOT secret to publish docs (#540)
e38b345 refactor: Split specs in integration test for operator (#554)
858ba0d refactor: Use builder for config audit scan jobs (#533)
29992e4 refactor: Use embed package to define CISKubeBenchReports and KubeHunterReports CRDs (#532)
3d7ad49 refactor: Use embed package to define ConfigAuditReports CRD (#531)
66cf6a2 refactor: Use global shared behavior to reuse test specs (#555)
Docker images
docker pull docker.io/aquasec/starboard:0.10.2docker pull public.ecr.aws/aquasecurity/starboard:0.10.2docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.2docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.2docker pull docker.io/aquasec/starboard-operator:0.10.2docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.2
v0.10.2-rc1
Docker images
docker pull docker.io/aquasec/starboard:0.10.2-rc1docker pull public.ecr.aws/aquasecurity/starboard:0.10.2-rc1docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.2-rc1docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.2-rc1docker pull docker.io/aquasec/starboard-operator:0.10.2-rc1docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.2-rc1
v0.10.1
Changelog
cec4934 fix(cisbenchmark): Error creating scan Job - label has more than 63 characters (#520)
4cbcc01 fix: Cannot deploy Starboard Operator on OpenShift Container Platform (#521)
118f987 feat: Read Polaris config from the starboard-polairs-config ConfigMap (#494)
977996e fix(Conftest): Do not specify UID (1000) and GID (1000) in SecurityContext (#516)
0ccb209 fix(Conftest): Error: configmap references non-existent config key (#511)
103998e fix(trivy): Invalid usage of the --quiet flag (#505)
d1cbe3a fix: RBAC config when OwnerReferencesPermissionEnforcement admission controller is enabled (#517)
Docker images
docker pull docker.io/aquasec/starboard:0.10.1docker pull public.ecr.aws/aquasecurity/starboard:0.10.1docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.1docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.1docker pull docker.io/aquasec/starboard-operator:0.10.1docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.1
v0.10.1-rc1
Docker images
docker pull docker.io/aquasec/starboard:0.10.1-rc1docker pull public.ecr.aws/aquasecurity/starboard:0.10.1-rc1docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.1-rc1docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.1-rc1docker pull docker.io/aquasec/starboard-operator:0.10.1-rc1docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.1-rc1
v0.10.0
Noteworthy
- Starboard Operator integrates with KubeBench by discovering K8s nodes and running KubeBench checks on existing and new nodes.
- Starboard CLI and Starboard Operator integrate with Conftest as a configuration audit plugin. The Conftest plugin supports custom OPA Rego checks and can be used as an alternative to Polaris, which has predefined set of checks.
- Deleting a security report, e.g. VulnerabilityReport, triggers rescan.
- Changing the configuration of the Conftest plugin, which is stored in the
starboard-conftest-configConfigMap, triggers rescan. - New kind of HTML report to sum up risks in the specified K8s namespace.
Changelog
92e39f4 chore(Conftest): Update deployment descriptors (#495)
a7de614 fix(conftest): Do not show negative pass count (#488)
8929137 fix(helm): Add configAuditReport.scanner to the default Starboard settings (#487)
020b61d fix(helm): Add permission to delete ConfigAuditReports (#496)
dc6d9a3 fix(helm): Error calling gt: incompatible types for comparison (#486)
69ec5b4 fix(operator): Delete scan job for workload that has been deleted (#497)
5cb2c04 fix(polaris): Remove clutter from JSON output (#493)
748d553 fix: Rearrange sections in HTML report for namespace (#491)
80f9a0f refactor(conftest): Skip rescan when plugin ConfigMap is deleted (#489)
802cfa7 refactor: Embed vulnerabilityreports CRD (#484)
aa95a98 refactor: Move constants to starboard package (#477)
89d860a chore: Bump up Polaris from v3.0 to v3.2 (#447)
d57c119 chore: Fix code formatting (#456)
55b37f7 feat(cli): Show top 5 failed workload configuration checks in html report for namespace (#462)
f53705a feat(cli): Show top 5 vulnerabilities by score in html report for namespace (#463)
c836618 feat(helm): Add HTTPS_PROXY and NO_PROXY settings for Trivy (#443)
8841b79 feat(operator): Add config to enable/disable scanners (#467)
b136b07 feat: Add HA Support for the Starboard Operator (#452)
56c1a3b feat: Add PluginContext for configuration audit scanners (#474)
9978cf4 feat: Add plugin name and config getter to PluginContext (#475)
20182e2 feat: Deleting a VulnerabilityReport should trigger rescan (#458)
1ddfb87 feat: Integrate Conftest as ConfigAuditReports scanner (#417)
89e3ba8 fix: Skip reconciling Jobs managed by CronJob (#450)
fa27379 refactor: Use client.Client in integration test (#469)
774ee8b refactor: Use client.Client in integration test for operator (#470)
2060f7b refactor: Use custom Gomega matcher to assert VulnerabilityReports (#461)
09c1bc0 chore: Review log statements and error messages (#441)
d12f369 feat(helm): Add ConfigMap template for plugins configuration (#437)
275e215 chore(release): Remove logout step (#408)
9c23ea8 chore: Bump up Trivy from v0.14.0 to v0.16.0 (#412)
c4c4289 chore: Delete deployment descriptors for Trivy server (#436)
42c8621 chore: Publish Starboard Operator Helm chart to our OSS charts repository (#393)
b9c1d27 chore: Trigger Helm chart publishing workflow manually (#439)
27d0ccc chore: Update deployment descriptors (#438)
8325cb2 chore: Upgrade CRD apiVersion from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1 (#411)
75502ed feat(cli): Update description of get report command (#423)
001ee2c feat(operator): Integrate kube-bench (#404)
7134455 feat: Add AVD links to HTML report (#398)
05cc500 feat: Add AVD reference to KubeHunterReport CR (#407)
004dba6 feat: Deleting a ConfigAuditReport should trigger rescan (#428)
38285f1 feat: Export kube-bench reports to HTML (#422)
5d98f63 feat: Get ConfigAuditReports from ReplicaSet in the same hierarchy (#397)
2954b44 feat: Get vulnerabilities from ReplicaSet in the same hierarchy (#389)
d5278c2 feat: Pass K8s object to configauditreport.Plugin (#420)
8cf7552 feat: Scaffold HTML report for namespace (#413)
52fe3a7 feat: Set security context for kube-bench (#354)
776bb1e feat: Set security context for kube-hunter (#394)
d066379 refactor: Delete *pod.Manager (#429)
30c164c refactor: Merge resources package with kube package (#430)
0e234c1 refactor: Merge rs package with kube package (#431)
a36725a refactor: Move Polaris package under plugin (#419)
a54ed60 refactor: Move aqua package under pkg/plugin (#426)
30b95b2 refactor: Move trivy package under pkg/plugin (#427)
62d47df refactor: Remove redundant args passed to configauditreport.Plugin (#432)
0c9cf08 refactor: Separate kube-bench -specific code (#405)
3892722 refactor: Use factory to instantiate ConfigAuditReport plugins (#418)
9aa35b1 refactor: kubebench.ReadWriter to use controller-runtime Client (#399)
1bb07be refactor: vulnerabilityreport.ReadWriter to use controller-runtime Client (#403)
Docker images
docker pull docker.io/aquasec/starboard:0.10.0docker pull public.ecr.aws/aquasecurity/starboard:0.10.0docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.0docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.0docker pull docker.io/aquasec/starboard-operator:0.10.0docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.0
v0.10.0-rc5
Docker images
docker pull docker.io/aquasec/starboard:0.10.0-rc5docker pull public.ecr.aws/aquasecurity/starboard:0.10.0-rc5docker pull docker.io/aquasec/starboard-scanner-aqua:0.10.0-rc5docker pull public.ecr.aws/aquasecurity/starboard-scanner-aqua:0.10.0-rc5docker pull docker.io/aquasec/starboard-operator:0.10.0-rc5docker pull public.ecr.aws/aquasecurity/starboard-operator:0.10.0-rc5