Request to add security vulnerability scan for the kyverno images #1557
Comments
imrajdas
changed the title
|
Agree, we need to provide this step and an output report that can be displayed for each release. Should probably use Trivy as that is what the ecosystem is standardizing on, by in large. |
|
I have used trivy, it is good to generate reports but not sure about other tools. |
|
Totally agreed with this issue Raj. I have worked with trivy before as well as a part of implementing it as a CI stage and for vulnerability-report-generation as well. PS: speaking of other tools like Anchor engine, clair, etc. , trivy outperforms them in majority of the areas, so, I'd strongly suggest trivy for this. But yeah, suggestions are most welcome cc: @chipzoller / @JimBugwadia / @realshuting |
|
Hi Yash,
Actually, I am thinking to pick this issue. Thanks for upvoting this issue.
…On Mon, 8 Feb 2021, 11:55 pm Yashvardhan Kukreja, ***@***.***> wrote:
I have used trivy, it is good to generate reports but not sure about other
tools.
+1 . I have worked with trivy before as well as a part of implementing it
as a CI stage and for vulnerability-report-generation as well.
If it's fine, I can pick this up and quickly implement this. Thanks :)
PS: speaking of other tools like Anchor engine, clair, etc. , trivy
outperforms them in majority of the areas, so, I'd strongly suggest trivy
for this. But yeah, suggestions are most welcome
cc: @chipzoller <https://github.com/chipzoller> / @JimBugwadia
<https://github.com/JimBugwadia> / @realshuting
<https://github.com/realshuting>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1557 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE3YAZCTD5AQALPPQCC72WLS6AUB5ANCNFSM4XJHBKOQ>
.
|
|
Sure. Will be good to see this being implemented :) |
|
@chipzoller @realshuting Trivy doesn't scan scratch images
|
|
That's right, forgot about that. Since we are using scratch images, I wonder how ultimately valuable such a security scan would be. Probably between none and very little. |
|
One thing we can do
But this will increase the pipeline time. |
|
I don't think it really makes sense to swap the base image with something larger than what we need (and create unnecessary security vectors) for the purposes of then being able to scan it. |
|
@chipzoller Is there any benefits of using scratch image?. In terms of image size, alpine is around 5MB. |
|
One problem with scratch images, if someone wants to debug the kyverno container by |
|
Can https://medium.com/icetek/new-in-kubernetes-1-18-kubectl-alpha-debug-2f5243581025 |
|
The benefit of using a scratch image is not only its size but also the minimal attack surface it creates as well as reduced variables (not in the programmatic sense but in the complexity sense). I don't know of the modern development practices with regard to Golang and debugging inside container images, but I've often seen there being a separate Makefile for a debug image which can be created by a user on-demand to use for such debugging purposes. |
realshuting
modified the milestones:
Kyverno Release 1.4.1,
Kyverno Release 1.4.2,
Kyverno Release 1.5.0
|
Trivy scans scratch images too now 😄 |
Is your feature request related to a problem? Please describe.
It is important to have an image scanning step in the CI pipeline to check the vulnerabilities.
Most of the enterprise Kubernetes cluster has a lot of security restrictions which won’t allow any application which has security vulnerabilities.
Describe the solution you'd like
Use of any opensource image scan tool like aquasecurity/trivy, clair and add it in the CI pipeline.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: