devkekops

README

DevKekOps

Get vulnerabilities of container images in helm charts. You provide a helm chart and its version, and you get the cve score for that helm chart and the score for the latest version of the same helm chart. Here is an example:

I have deployed grafana with helm chart version 8.5.1. What images are used in this helm chart? How vulnerable are they? What is the latest available helm chart? Does that one have less vulnerabilites?

Okay, so let's answer those questions by running

devkekops https://github.com/grafana/helm-charts grafana 8.5.1

At the time of writing, this gives us

[Helm version]
8.6.0
8.5.1

[App version]
11.3.0
11.2.0

[docker.io/bats/bats]
v1.4.1 1   15  14  0
v1.4.1 1   15  14  0

[docker.io/grafana/grafana]
11.3.0 0   0   0   5
11.2.0 1   3   30  5

[Total]
1   15  14  5
2   18  44  5

The latest helm and app versions are 8.6.0 and 11.3.0. The helm charts have the same images, the grafana image is newer in the latest helm chart and has fewer vulnerabilities. It has 0 vulnerabilities with critical score, 0 high's, 0 medium's and 5 low's. The total cve score for all images show that upgrading to the latest helm chart would result in fewer vulnerabilities.

If you want to parse the result, add -format json, and you get:

{
  "repo": "https://grafana.github.io/helm-charts",
  "chart": "grafana",
  "current": {
    "helmVersion": "8.5.1",
    "appVersion": "11.2.0",
    "images": {
      "docker.io/bats/bats": {
        "version": "v1.4.1",
        "critical": 1,
        "high": 15,
        "medium": 14,
        "low": 0
      },
      "docker.io/grafana/grafana": {
        "version": "11.2.0",
        "critical": 1,
        "high": 3,
        "medium": 30,
        "low": 5
      }
    },
    "total": {
      "critical": 2,
      "high": 18,
      "medium": 44,
      "low": 5
    }
  },
  "latest": {
    "helmVersion": "8.6.0",
    "appVersion": "11.3.0",
    "images": {
      "docker.io/bats/bats": {
        "version": "v1.4.1",
        "critical": 1,
        "high": 15,
        "medium": 14,
        "low": 0
      },
      "docker.io/grafana/grafana": {
        "version": "11.3.0",
        "critical": 0,
        "high": 0,
        "medium": 0,
        "low": 5
      }
    },
    "total": {
      "critical": 1,
      "high": 15,
      "medium": 14,
      "low": 5
    }
  },
  "diff": {
    "critical": 1,
    "high": 3,
    "medium": 30,
    "low": 0
  }
}

Okay! One helm chart, what if I have more? You can pass multiple charts by just repeating the pattern for each chart. You can use the -summary flag to print a one-line summary for each chart like this. Note that for oci registries you should use oci:// instead of https://.

devkekops -summary \
    https://charts.bitnami.com/bitnami rabbitmq-cluster-operator 4.3.24 \
    https://charts.external-secrets.io external-secrets 0.10.0 \
    https://charts.jetstack.io cert-manager v1.14.5 \
    https://cloudnative-pg.github.io/charts cloudnative-pg 0.21.6 \
    https://docs.getunleash.io/helm-charts unleash 4.0.2 \
    https://docs.getunleash.io/helm-charts unleash-edge 2.5.0 \
    https://grafana.github.io/helm-charts alloy 0.6.0 \
    https://grafana.github.io/helm-charts grafana 8.5.1 \
    https://helm.elastic.co eck-operator 2.13.0 \
    https://helm.releases.hashicorp.com vault 0.28.1 \
    https://prometheus-community.github.io/helm-charts prometheus-blackbox-exporter 8.6.1 \
    https://prometheus-msteams.github.io/prometheus-msteams prometheus-msteams 1.3.4 \
    oci://ghcr.io actions/actions-runner-controller-charts/gha-runner-scale-set 0.9.3 \
    oci://ghcr.io actions/actions-runner-controller-charts/gha-runner-scale-set-controller 0.9.3 \
    https://grafana.github.io/helm-charts mimir-distributed 5.4.1

The rezult is sorted according to the highest difference in vulnerabilities between the current and latest version. A positive number means that the latest version has fewer vulnerabilities. So it shows how many vulnerabilities you get rid of by upgrading.

CHART                            CRITICAL  HIGH  MEDIUM  LOW  VERSION
mimir-distributed                5         40    247     169  5.4.1 -> 5.6.0-weekly.316
unleash                          5         67    87      12   4.0.2 -> 5.3.3
cert-manager                     4         4     18      0    v1.14.5 -> v1.16.1
vault                            1         2     13      3    0.28.1 -> 0.29.0
alloy                            1         1     3       -5   0.6.0 -> 0.10.0
grafana                          1         3     30      0    8.5.1 -> 8.6.0
eck-operator                     1         2     4       0    2.13.0 -> 2.15.0
unleash-edge                     0         2     10      1    2.5.0 -> 2.7.4
cloudnative-pg                   0         2     4       0    0.21.6 -> 0.22.1
external-secrets                 0         1     12      0    0.10.0 -> 0.10.5
prometheus-blackbox-exporter     0         5     17      0    8.6.1 -> 9.1.0
rabbitmq-cluster-operator        0         0     2       0    4.3.24 -> 4.3.27
prometheus-msteams               0         0     0       0    1.3.4 -> 1.3.4
gha-runner-scale-set             0         0     0       0    0.9.3 -> 0.9.3
gha-runner-scale-set-controller  0         0     0       0    0.9.3 -> 0.9.3

All http requests are cached, run the command with -clear-cache to clear it. The cache is invalidated every now and then.

Installation

go install git.sr.ht/~slarwise/devkekops@latest

# or

git clone https://git.sr.ht/~slarwise/devkekops
cd devkekops
go install .

FAQ

1. Where do I find where the helm repo is? I don't know, helm is not very user-friendly. And why are we not just using a proper programming language instead of this untyped template EnGiNe that doesn't tell you which values are required?

TODO

1. Some helm charts have required values, make it possible to pass values like in helm template.
2. Trivy imports all packages available on github, the binary is massive and compilation takes forever. Find an alternative.