Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making image scan results available in the cluster #668

Closed
slashben opened this issue Aug 24, 2022 · 21 comments
Closed

Making image scan results available in the cluster #668

slashben opened this issue Aug 24, 2022 · 21 comments
Assignees
@Mahesh994565
Labels
feature New feature or request in roadmap Feature/fix in the kubescape roadmap development

Comments

@slashben
Copy link
Contributor

Description
Kubescape microservices scanning container images for vulnerabilities in the cluster. The results today are posted to ARMO cloud (https://cloud.armosec.io). They should be kept in the cluster to make it available for other applications as well. Even kubescape scanner could use the results locally without the need of coming through the ARMO cloud APIs.

Describe the solution you'd like
I would like Kubescape microservices to keep relevnt image scan results as CRDs in the cluster. Every new scan report should be stored (together with the SBOM) in CRDs and old results for the same workloads could be discarded (as well as reports which does not have corresponding images in the cluster anymore).

Additional context
This would enable feeding the results to Prometheus as well.
@slashben slashben added feature New feature or request good first issue Good for newcomers in roadmap Feature/fix in the kubescape roadmap development open for contribution Feature/bug fix that we are happy to hand out to anyone who would like to contribute labels Aug 24, 2022
@slashben slashben changed the title Makeing image scan results available in the cluster Making image scan results available in the cluster Aug 24, 2022
@slashben slashben mentioned this issue Aug 24, 2022
Closed
@kushagra-gupta01
Copy link

Can you please assign me for this issue?
I would love to contribute.

@slashben
Copy link
Contributor Author

Can you please assign me for this issue? I would love to contribute.

Just did :)

Please be in touch with @dwertent about implementation guidlines

@kushagra-gupta01
Copy link

ok sure

@npneeraj
Copy link

Hi @slashben I would also like to contribute to this issue.

@satvik2131
Copy link

I want to work on this issue , please assign and guide me regarding it .

@Aman123lug
Copy link

@slashben can you me assign me this project i love to contribute

@slashben
Copy link
Contributor Author

@npneeraj , @satvik2131 , @Aman123lug , this issue has already been assigned to someone. If you want to check with him, please reach out directly to @kushagra-gupta01

@vinayak-00017
Copy link

@kushagra-gupta01 hey man, can I work with you on this issue?

@priyansu-nayak
Copy link

priyansu-nayak commented Sep 7, 2022
edited

@kushagra-gupta01 Can we collab on this issue?

@harshitasao
Copy link

Hi, @slashben @dwertent. I'd like to work on this as there hasn't been any progress. I think I understand the issue and the approach required, if necessary, I can prepare a proposal. So, could you please provide the implementation guidelines?

@dwertent
Copy link
Contributor

This issue is a feature request related to the Kubevuln component.

Currently, Kubevuln runs as a microservice that receives an image as input. The Kubevuln scans the image (using Grype) and submits the results to the kubescape SaaS.
We will need to make the following changes in the Kubevuln:

  1. Extract the image SBOM (in addition to the results)
  2. Store SBOM and scan results as CRD's
  3. When scanning an image, the Kubevuln will first search if the image has an available SBOM. If so, the Kubevuln will pass Grype the SBOM and not the image tag.
  4. Remove SBOMs of images that are no longer running in the cluster (the Kollector should do this)
  5. Remove older image scanning results

Once we complete this, we can update the Kubescape so it will load the image scanning results CRD's instead of downloading them from the Kubescape SaaS.

@kamalbuilds
Copy link
Contributor

Thankyou @dwertent for the explaination, it surely clears many things :)

@Mahesh994565
Copy link

@kushagra-gupta01 can I work with you on this feature. I'm clear about reqs & implementation regarding this. @slashben

@kushagra-gupta01 kushagra-gupta01 removed their assignment Sep 25, 2022
@Mahesh994565
Copy link

@slashben @dwertent please assign this feature to me, I'm halfway into it.

@slashben slashben assigned slashben and Mahesh994565 and unassigned slashben Sep 28, 2022
@Mahesh994565
Copy link

This issue is a feature request related to the Kubevuln component.

Currently, Kubevuln runs as a microservice that receives an image as input. The Kubevuln scans the image (using Grype) and submits the results to the kubescape SaaS. We will need to make the following changes in the Kubevuln:

1. Extract the image SBOM (in addition to the results)

2. Store SBOM and scan results as CRD's

3. When scanning an image, the Kubevuln will first search if the image has an available SBOM. If so, the Kubevuln will pass Grype the SBOM and not the image tag.

4. Remove SBOMs of images that are no longer running in the cluster (the [Kollector](https://github.com/kubescape/kollector) should do this)

5. Remove older image scanning results

Once we complete this, we can update the Kubescape so it will load the image scanning results CRD's instead of downloading them from the Kubescape SaaS.

should CRD changes be part of kubevuln project or separate repository

@Mahesh994565
Copy link

I have created spdx format CRD for initial implementation, there are multiple formats of sbom output. I'm writing a parser to parse output of sbom generated and convert to crd object. is this approach correct ?

@siddhikhapare
Copy link

siddhikhapare commented Oct 12, 2022
edited

@dwertent @slashben I want to work on this issue #669. but above issue is related to it so I am also trying to scan image results. I scanned image and it's SBOM in json format using grype and syft. can you provide me setup guidance of kubevuln with grype to scan images. I generated sbom of image and then scanned it with grype
https://github.com/siddhikhapare/screenshots/blob/main/imagesbominjson.PNG

@dwertent
Copy link
Contributor

@slashben I'm not sure this is the right place for the feature request.
This has more to do with Kubevuln than with Kubescape.

@slashben
Copy link
Contributor Author

slashben commented Nov 10, 2022 via email

@Mahesh994565
Copy link

I was on vacation due to Diwali festival over here, will resume my work on this.

@dwertent
Copy link
Contributor

Closing this issue since it is not related directly to Kubescape as described here.

Supporting this issue will require refactoring the Kubevuln component. We will open a separate design document for this.

@dwertent dwertent removed good first issue Good for newcomers open for contribution Feature/bug fix that we are happy to hand out to anyone who would like to contribute labels Nov 20, 2022
@dwertent dwertent mentioned this issue Jan 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mahesh994565 Mahesh994565

Labels
feature New feature or request in roadmap Feature/fix in the kubescape roadmap development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests