-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Adds a first tasks page for the UI, with run-time scan Based on https://techblog.cisco.com/blog/kubeclarity-installation-on-aws-eks * Adds installing sock-shop to backend install * Minor fixes * Adds scheduled runtime scans From https://techblog.cisco.com/blog/kubeclarity-runtime-scanning * Adds SBOM concepts From https://techblog.cisco.com/blog/if-your-business-asks-what-sbom-is-it-is-failing * Adds CIS benchmarks From https://techblog.cisco.com/blog/kubeclarity-cis-benchmarks * Adds Kubernetes runtime scan concepts * Adds vulnerability scans content From https://techblog.cisco.com/blog/kubeclarity-vulnerability-scanning * Some reorganization and multi-sbom content From https://techblog.cisco.com/blog/kubeclarity-multi-sbom-integration * Minor fixes * Hide "Create child page" links * Set repository meta link for kubeclarity pages * Adds relevant AWS install prerequisites From https://techblog.cisco.com/blog/kubeclarity-installation-on-aws-eks * Groups runtime scan related topics * Group topics to sbom/vulnerability/runtime * Adds intros to main topic chapters Single-sources and cross-referenced with the concepts * [SBOM] Get first tasks and generic topic in synch * [SBOM] Single-source exporting cli results * Single-source some vulnerability scan stuff * Single-source some vulnerability scan stuff, part 2 * Single-source runtime scans and some minor fixes * Getting started fixes * Use port 9999 for all examples * Corrections and clarifications * Switch the order of first-task sections
- Loading branch information
1 parent
1bc692b
commit 7825fa3
Showing
67 changed files
with
724 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
title: Concepts and background | ||
weight: 300 | ||
--- | ||
|
||
The following sections give you the concepts and background information about the scans provided by KubeClarity. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
title: Kubernetes clusters runtime scans | ||
weight: 200 | ||
linktitle: Runtime scans | ||
--- | ||
|
||
{{< include-headless "kubeclarity/intro-runtime-scans.md" >}} | ||
|
||
## Runtime scan features | ||
|
||
KubeClarity enhance the runtime scanning experience: | ||
|
||
### Faster runtime scans | ||
|
||
KubeClarity optimizes the scanning process, reducing the time required to detect vulnerabilities. This allows for quicker identification and remediation of potential security risks. | ||
|
||
### Reduce image TAR pulling | ||
|
||
KubeClarity uses an efficient approach that avoids the unnecessary overhead of fetching the complete image tar. | ||
|
||
### Cache SBOMs | ||
|
||
If an image has already been scanned, KubeClarity uses the cached SBOM data, avoiding time-consuming image retrieval and recomputing, improving overall efficiency. | ||
|
||
## Runtime scan architecture | ||
|
||
The following figure illustrates the structure of a runtime scanning architecture. This layout visually represents the components and their interconnections within the runtime scanning system. | ||
|
||
![KubeClarity Runtime Scan Architecture](runtime-scan-architecture.png) | ||
|
||
## Perform runtime scans | ||
|
||
For details on performing runtime scans with KubeClarity, see the {{% xref "/docs/kubeclarity/getting-started/_index.md" %}} and {{% xref "/docs/kubeclarity/runtime-scans/_index.md" %}}. |
Binary file added
BIN
+51.6 KB
content/docs/kubeclarity/concepts/runtime-scans/runtime-scan-architecture.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
title: Software bill of materials | ||
linktitle: SBOM | ||
weight: 100 | ||
--- | ||
|
||
{{< include-headless "kubeclarity/intro-generate-sbom.md" >}} | ||
|
||
SBOMs are important because organizations increasingly rely on open-source and third-party software components to build and maintain their applications. These components can introduce security vulnerabilities and must be adequately managed and updated. SBOMs help you understand what open-source and third-party components are used in your applications, and identify and address any security vulnerabilities. | ||
|
||
Under specific scenarios, generating and publishing SBOMs is mandatory for compliance with regulations and industry standards that require organizations to disclose the use of open-source and third-party software in their products. | ||
|
||
## SBOM standards | ||
|
||
There are several related standards, for example, CycloneDX, SPDX, SWID. | ||
|
||
[SPDX (Software Package Data Exchange)](https://spdx.dev/) is a standard format for communicating a software package’s components, licenses, and copyrights. It is commonly used to document the open-source components included in a proprietary software product. SPDX files can be easily read and understood by humans and machines, making it easy to track and manage open-source components in a software project. SPDX format is supported by Linux Foundation. | ||
|
||
CycloneDX is an open-source standard for creating software bill of materials files. It is like SPDX in that it documents the components and licenses associated with a software package, but it is specifically designed for use in software supply chain security. CycloneDX is a more lightweight format compared to SPDX, which is intended to be more detailed. CycloneDX format is supported by OWASP. | ||
|
||
## SBOM architecture | ||
|
||
A typical SBOM architecture can be laid out as a tree-like dependency graph with the following key elements: | ||
|
||
- Component inventory: Information about the components, libraries, and other assets used in the software, including version numbers, licenses, and vulnerabilities. | ||
- Dependency mapping: A map of relationships between different components and libraries, showing how they depend on each other and how changes to one may impact the other. | ||
- License management: It should also include information about the licenses of the components and libraries used to ensure that the software complies with legal and ethical obligations. | ||
|
||
## SBOM generators | ||
|
||
There are two typical ways to generate SBOM: during the build process, or after the build and deployment using a Software Composition Analysis tool. Trivy and Syft are two noteworthy open-source generators among many other generators, including open-source and commercial. Both use CycloneDX format. It is also important to note that not all SBOMs can be generated equally. Each generator may pick up a few language libraries better than the others based on its implementation. It might take multiple runs through a few different types of generators to draw comprehensive insights. | ||
|
||
{{< include-headless "kubeclarity/supported-sbom-generators.md" >}} | ||
|
||
## Multiple SBOMs for accuracy | ||
|
||
KubeClarity can run multiple SBOM generators in parallel, and unify their results to generate a more accurate document. | ||
|
||
In such cases, KubeClarity compiles a merged SBOM from multiple open-source analyzers, and delivers a comprehensive SBOM document report. Although KubeClarity does not generate SBOMs, it integrates with popular generators so that a combined document can provide amplified inputs that can be further analyzed using vulnerability scanners. Leveraging multiple SBOM documents can improve visibility into software dependency posture. | ||
|
||
KubeClarity formats the merged SBOM to comply with the input requirements of vulnerability scanners before starting vulnerability scans. | ||
|
||
> Note: KubeClarity can merge vulnerability scans from various sources like Grype and Trivy to generate a robust vulnerability scan report. | ||
## Scan SBOM documents for vulnerabilities | ||
|
||
You can feed the generated SBOM documents to vulnerability scanners, which analyze the SBOMs and generate a vulnerability report detailing all known and fixed CVEs of the software components listed by SBOM. | ||
|
||
## Generate SBOM | ||
|
||
For details on generating SBOMs with KubeClarity, see the {{% xref "/docs/kubeclarity/getting-started/_index.md" %}} and {{% xref "/docs/kubeclarity/sbom/_index.md" %}}. |
39 changes: 39 additions & 0 deletions
39
content/docs/kubeclarity/concepts/vulnerability-scanning/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
--- | ||
title: Vulnerability scanning | ||
weight: 300 | ||
--- | ||
|
||
{{< include-headless "kubeclarity/intro-vulnerability-scans.md" >}} | ||
|
||
The scanners use the information contained in the [SBOM]({{< relref "/docs/kubeclarity/concepts/sbom/_index.md" >}}) to identify vulnerabilities and potential security risks within software applications. Vulnerability scanners use SBOM information to: | ||
|
||
- Identify vulnerable components: Scanners use the SBOM to identify a software application’s components, then cross-reference this information with known vulnerabilities and security issues to identify vulnerable components within the software. | ||
- Prioritize vulnerabilities: After the vulnerability scanner has identified all vulnerable components within the software application, it uses the SBOM to prioritize the vulnerabilities so you can focus on the most critical vulnerabilities. | ||
- Identify supply chain risks: SBOMs provide visibility into the software supply chain, enabling vulnerability scanners to identify third-party or security risks. As a result, organizations can mitigate supply chain risks and reduce their overall security exposure. | ||
- Track changes and updates: Software vulnerability scanners use SBOM information to determine whether software changes have introduced new vulnerabilities or security risks. | ||
|
||
The SBOM is a critical tool for vulnerability scanners, providing the information needed to identify, prioritize, and mitigate security risks within software applications. In addition, scanners also rely on other types of inputs, as listed below. | ||
|
||
## KubeClarity and vulnerability scanning | ||
|
||
KubeClarity isn’t a vulnerability scanner but integrates with top opensource vulnerability scanners. It also helps with prioritization and risk management by visualization and filtering. It is often necessary to prioritize CVEs because of the sheer volume of identified CVEs. With KubeClarity’s vulnerability trending dashboard and APIs, you can locate and double-click into a specific CVE in your application or infrastructure. | ||
|
||
KubeClarity features a range of flexible and dynamic filters that help map CVEs down to an application->package->Image level. Additionally, it normalizes reports from multiple scanners and calculates missing [CVSS (Common Vulnerability Scoring System) scores](https://www.first.org/cvss/specification-document). | ||
|
||
{{< include-headless "kubeclarity/supported-vulnerability-scanners.md" >}} | ||
|
||
KubeClarity supports both automatic scans to find common vulnerabilities quickly and efficiently, and manual scans to help verify automated scans, and also to help identify more complex and less common vulnerabilities. In addition to conventional scans, KubeClarity also provides multi-scanner integration. | ||
|
||
## Multi-scanner architecture | ||
|
||
KubeClarity infrastructure enables multiple scanners’ configuration and simultaneous operation. Scanners in KubeClarity are designed to work in parallel. | ||
|
||
The following figure shows the multi-scanner architecture for vulnerability scanning: KubeClarity preprocesses the SBOMs so they conform to the specific formatting requirements of the specific scanner. Each scanner may have different types and unique formatting expectations. The scanners analyze the incoming data and generate vulnerability outputs in their native formats. | ||
|
||
![Multi-scanner architecture](multi-scanner-vulnerability-scanning.png) | ||
|
||
KubeClarity can merge the vulnerability reports of different scanners, to include severity levels, sources, and available fixes. These reports serve as valuable outputs, allowing you to filter and focus on specific areas of vulnerabilities for further investigation and resolution. | ||
|
||
## Run vulnerability scans | ||
|
||
For details on running vulnerability scans with KubeClarity, see the {{% xref "/docs/kubeclarity/getting-started/_index.md" %}} and {{% xref "/docs/kubeclarity/vulnerability-scan/_index.md" %}}. |
Binary file added
BIN
+94.5 KB
...larity/concepts/vulnerability-scanning/multi-scanner-vulnerability-scanning.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
content/docs/kubeclarity/getting-started/first-tasks-ui/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
title: First tasks - UI | ||
weight: 300 | ||
--- | ||
|
||
After you have [installed the KubeClarity backend]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-backend/_index.md" >}}) and the [KubeClarity CLI]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-cli/_index.md" >}}), complete the following tasks to see the basic functionality of KubeClarity web UI. | ||
|
||
## Runtime scan | ||
|
||
{{< include-headless "kubeclarity/run-runtime-scan-ui.md" >}} | ||
|
||
## Vulnerability scan {#vulnerability-scan-results-ui} | ||
|
||
{{< include-headless "kubeclarity/vulnerability-scan-results-ui.md" >}} | ||
|
||
## Next step | ||
|
||
Check the common tasks you can do using the [CLI tool]({{< relref "/docs/kubeclarity/getting-started/first-tasks/_index.md" >}}). |
Binary file added
BIN
+96.2 KB
content/docs/kubeclarity/getting-started/first-tasks-ui/dashboard-with-data.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+122 KB
...cs/kubeclarity/getting-started/first-tasks-ui/run-time-scan-results-details.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+61.1 KB
content/docs/kubeclarity/getting-started/first-tasks-ui/run-time-scan-results.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+37.8 KB
content/docs/kubeclarity/getting-started/first-tasks-ui/run-time-scan.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+50.2 KB
content/docs/kubeclarity/getting-started/first-tasks-ui/start-run-time-scan.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+95.7 KB
...t/docs/kubeclarity/getting-started/first-tasks-ui/vulerability-scan-details.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+46.3 KB
...ent/docs/kubeclarity/getting-started/first-tasks-ui/vulnerability-scan-cvss.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+84.4 KB
...t/docs/kubeclarity/getting-started/first-tasks-ui/vulnerability-scan-filter.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+357 KB
.../docs/kubeclarity/getting-started/first-tasks-ui/vulnerability-scan-results.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
82 changes: 13 additions & 69 deletions
82
content/docs/kubeclarity/getting-started/first-tasks/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,83 +1,27 @@ | ||
--- | ||
title: First tasks | ||
weight: 300 | ||
title: First tasks - CLI | ||
weight: 400 | ||
--- | ||
|
||
After you have [installed the KubeClarity backend]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-backend/_index.md" >}}) and the [KubeClarity CLI]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-cli/_index.md" >}}), complete the following tasks to see the basic functionality of KubeClarity. | ||
After you have [installed the KubeClarity backend]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-backend/_index.md" >}}) and the [KubeClarity CLI]({{< relref "/docs/kubeclarity/getting-started/install-kubeclarity-cli/_index.md" >}}), and completed the [first tasks on the UI]({{< relref "/docs/kubeclarity/getting-started/first-tasks-ui/_index.md" >}}), complete the following tasks to see the basic functionality of the KubeClarity CLI. | ||
|
||
## Generate SBOM | ||
|
||
To generate the Software Bill of Materials (SBOM), run the following command: | ||
{{< include-headless "kubeclarity/generate-sbom-simple-cli.md" >}} | ||
|
||
```shell | ||
kubeclarity-cli analyze <image/directory name> --input-type <dir|file|image(default)> -o <output file or stdout> | ||
``` | ||
## Vulnerability scan | ||
|
||
For example: | ||
|
||
```shell | ||
kubeclarity-cli analyze --input-type image nginx:latest -o nginx.sbom | ||
``` | ||
|
||
You can list the content analyzers to use using the `ANALYZER_LIST` environment variable separated by a space (`ANALYZER_LIST="<analyzer 1 name> <analyzer 2 name>"`). For example: | ||
|
||
```shell | ||
ANALYZER_LIST="syft gomod" kubeclarity-cli analyze --input-type image nginx:latest -o nginx.sbom | ||
``` | ||
|
||
## Vulnerability scanning | ||
|
||
Usage: | ||
|
||
```shell | ||
kubeclarity-cli scan <image/sbom/directory/file name> --input-type <sbom|dir|file|image(default)> -f <output file> | ||
``` | ||
|
||
Example: | ||
|
||
```shell | ||
kubeclarity-cli scan nginx.sbom --input-type sbom | ||
``` | ||
|
||
You can list the vulnerability scanners to use using the `SCANNERS_LIST` environment variable separated by a space (`SCANNERS_LIST="<Scanner1 name> <Scanner2 name>"`). For example: | ||
|
||
```shell | ||
SCANNERS_LIST="grype trivy" kubeclarity-cli scan nginx.sbom --input-type sbom | ||
``` | ||
{{< include-headless "kubeclarity/run-vulnerability-scan-cli.md" >}} | ||
|
||
## Export results to KubeClarity backend | ||
|
||
To export the CLI results to the KubeClarity backend, use an application ID as defined by the KubeClarity backend. | ||
You can find the application ID on the **Applications** screen of the UI, or you can use the KubeClarity API. | ||
|
||
### Export SBOM | ||
|
||
To export the SBOM to the KubeClarity backend, set the `BACKEND_HOST` environment variable and the `-e` flag. | ||
|
||
> Note: Until TLS is supported, set `BACKEND_DISABLE_TLS=true`. | ||
```shell | ||
BACKEND_HOST=<KubeClarity backend address> BACKEND_DISABLE_TLS=true kubeclarity-cli analyze <image> --application-id <application ID> -e -o <SBOM output file> | ||
``` | ||
|
||
For example: | ||
|
||
```shell | ||
BACKEND_HOST=localhost:9999 BACKEND_DISABLE_TLS=true kubeclarity-cli analyze nginx:latest --application-id 23452f9c-6e31-5845-bf53-6566b81a2906 -e -o nginx.sbom | ||
``` | ||
|
||
### Export vulnerability scan results | ||
|
||
To export the vulnerability scan results to the KubeClarity backend, set the `BACKEND_HOST` environment variable and the `-e` flag. | ||
|
||
> Note: Until TLS is supported, set `BACKEND_DISABLE_TLS=true`. | ||
To export the CLI results to the KubeClarity backend, complete the following steps. | ||
|
||
```shell | ||
BACKEND_HOST=<KubeClarity backend address> BACKEND_DISABLE_TLS=true kubeclarity-cli scan <image> --application-id <application ID> -e | ||
``` | ||
1. {{< include-headless "kubeclarity/get-application-id.md" >}} | ||
1. {{< include-headless "kubeclarity/export-sbom-scan-results.md" >}} | ||
1. {{< include-headless "kubeclarity/export-vulnerability-scan-results.md" >}} | ||
1. Now you can [see the exported results on the UI]({{< relref "/docs/kubeclarity/getting-started/first-tasks-ui/_index.md#vulnerability-scan-results-ui" >}}), for example, on the **Dashboard** page. | ||
|
||
For example: | ||
## Next step | ||
|
||
```shell | ||
SCANNERS_LIST="grype" BACKEND_HOST=localhost:9999 BACKEND_DISABLE_TLS=true kubeclarity-cli scan nginx.sbom --input-type sbom --application-id 23452f9c-6e31-5845-bf53-6566b81a2906 -e | ||
``` | ||
Now that you have finished the getting started guide, explore the UI, or check the documentation for other use cases. |
Oops, something went wrong.