New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default upload of scan results should be opt-in #132
Comments
Hi @withernet, As you nicely noted in your note about the expected response, indeed any data that is sent to us is kept safe and is not used by ARMO at any form :-). ARMO is a security company working with large Fortune 500 companies with runtime security products who are also protecting our backend and servers according to all standards. It is important for us to note that the motivation of this is to enable our users to see and manage their result once they sign in without needing to re-run kubescape again. We do believe you raise a good point about the default usage and making it clear to the users, we tried to do it in the product usage documentation as clear as possible but if you did not see it, we need to take another look at it and consider changing it. I want to make sure you are aware of the fact that you can use the --results-locally flag to avoid this behavior (Without taking away from your note about the default behavior and what it should be) We hope this makes sense and are welcoming any feedback and advice and we will look at the best adjustments we can make to assure Kubescape users fee l comfortable with the tool while also getting as much value as possible. |
Hey @chmod-777-shauli yep completely understandable. What I don't like is that I was unaware of this behavior after the fact (and inadvertently submitted a report); and I would bet others have done this too? A couple of different methods while still providing the same functionality are below:
|
This default behaviour was also unpleasant surprise for me. |
@levsha and @withernet , Your point is well taken, and we completely understand. We were under the impression that giving an option to not upload which is fully documented is enough, but it seems it is not clear enough for users, and we need to adjust it. Therefore, the upload behavior will be changed in the next release, you both gave good ideas as to how to go about it and we highly appreciate it. |
Just confirmed this is fixed, thanks guys! |
@withernet When you said it's fixed, does it mean the following command will not send any report to whatever endpoint that
I totally agree with you @withernet , the default should be to |
@laurentiuspurba I tested with |
The default behavior of this command is NOT sending any information, just as you expected. The exception to this case is if the user has registered to the SaaS service previously. We did not change the pre-existing behavior for the users who used to run this command and saw their data in the SaaS service. If you are a registered user and you wish to avoid sending your data for specific run, please use --keep-local flag. |
Indeed, if you don't use --use-from flag, kubescape will download the latest version of the scanning framework from the GitHub. We strongly recommend to update scanning framework, even if you need to use this flag. We continuously extend and improve the frameworks. Note the latest CVE-2021-25742 test addition that was done in several hours after the publication of the vulnerability. |
@leonidsandler @withernet Thank you for clear this thing up.
|
Hi @laurentiuspurba and thank you for your feedback. As i'm replying to you I'm working on fixing this issue, in the mean time you can follow the instructions provided here If you do not have the framework cached, you can download the release running ->
And then run ->
|
Hi every one.
Then I get results like |
@george-obr2p Is this the url in the end of the message: |
@dwertent yes, also there is this similiar url in the end of the message, I've tried to delete data in portal.armo.cloud, reinstall kubescape from scratch on my device. |
@george-obr2p By default kubescape does not submit your data, but if you submitted your data once, by default kubescape will submit your data next runs also if you do not explicitly add the |
I want to preface this issue as, I think
kubescape
is a pretty nice and nifty tool. It's especially useful for finding misconfigurations in k8s clusters, pods, containers, etc. But, I also want to say that--results-locally
should not be opt-in. If you want to provide a consulting tool that people can use as a pipeline for professional services, fine, but do not mask the tool behind such behavior after the fact.Every single person that executes this tool with
kubescape scan framework nsa
effectively uploads all their cluster vulnerabilities and issues to ARMO. The fact that someone has to open an issue with a poor default makes me question the actual motivations and desires of ARMO.The default of this tool being opt-in should be a lesson to anyone using this tool and any other future open source tools that scan systems for security.
The text was updated successfully, but these errors were encountered: