POC for vulnerability scanning using snyk

[navidshaikh]

What would you like to be added:

A prow CI job to do vulnerability scanning for k/k dependencies using snyk.

Why is this needed:

Kubernetes has a very large number of golang library dependencies. While there is some work to track and ensure license compatability, there is little to know work done to track vulnerabilities in these library dependencies.

ref kubernetes/community#2992

---

This issue is to track doing a PoC for vulnerability scanning of k/k dependencies using snyk CLI.

The proposal is to create an optional prow CI job which runs snyk scan against k/k master.

This requires:

• Create a snyk account for kubernetes organization Request a Snyk Service Account for Proof of Concept steering#206
• Enable service account feature for the k8s account https://kubernetes.slack.com/archives/CHGFYJVAN/p1618848476110600
• Create a service account token at snyk dashboard for authentication of snyk CLI
• Create a secret in prow test-infra (projectId: k8s-prow) with snyk token ref
• Bind the secret (created in above step) to be used in a prow CI job ref Add ExternalSecret CR for snyk_token test-infra#22298
• Create an optional presubmit periodic CI job which: populates SNYK_TOKEN env var using secret, install snyk CLI and run the scan Add snyk scan periodic CI job test-infra#22293
• Add docs Docs for scanning known vulnerabilities in build time dependencies sig-security#16

Just to be clear, All this is stuff we would do BEFORE a release. We are not talking about scanning containers here, just sanity check of dependencies that we pull in.

cc: @dims @nikhita @PushkarJ @spiffxp @nikhita

[navidshaikh]

/area code-organization
/sig architecture

[spiffxp]

/assign

[navidshaikh]

/triage accepted

[navidshaikh]

snyk scan continuous job is running at 6h interval, see https://testgrid.k8s.io/sig-security-snyk-scan#ci-kubernetes-snyk-master

result can be seen in each job artifacts https://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-snyk-master/1405787379716853760/artifacts/

next:

• add docs and communicate

any suggestion about where the docs should reside ?

[PushkarJ]

Hey @navidshaikh Have been talking about location for docs with @dims and @tabbysable

https://github.com/kubernetes/community/ under sig-security seems like a good place. I have a WIP fork for this as well. Should get something for review for you next week. Let me know what you think!

[navidshaikh]

sounds good @PushkarJ, thanks!

[PushkarJ]

Docs PR: kubernetes/community#5853

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[navidshaikh]

/remove-lifecycle stale

[navidshaikh]

The docs PR is merged kubernetes/sig-security#16, completes the checklist.

Thanks everyone for their contributions!

/close

[k8s-ci-robot]

@navidshaikh: Closing this issue.

In response to this:

The docs PR is merged kubernetes/sig-security#16, completes the checklist.

Thanks everyone for their contributions!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.