vulnerability-analysis

module

v0.0.4 Latest Latest Go to latest Published: Jul 9, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/coreeng/vulnerability-analysis

Links

Open Source Insights

README ¶

Vulnerability Analysis

What's this tool?

The goal of this tool is to be used during image promotion. Based on the exit code, it should allow or block certain images from being promoted based on the security vulnerabilities Exit codes:

0: Image was found and has the number of vulnerabilities below the thresholds
1: Image was found and has the number of vulnerabilities above the thresholds
2: Something went wrong on the execution (e.g., report for the image not found)

Supported Integrations

The goal of this tool is to support multiple vulnerability scanner integration. Currently supporting:

Trivy

Trivy

When invoked with trivy argument, the tool pulls aquasecurity.github.io/v1alpha1.VulnerabilityReport for a given namespace and image and analyse the report according to the configuration file passed. To wait for the report, pass optional --timeout flag. When passed, the tool will keep retrying with exponential backoff until timeout is reached. If you pass 0, it'll retry forever.

Usage

make build
./vulcheck trivy -n <namespace> -i <registry>/<imageName>:<imageVersion> -c <config-file-path> -t <timeout>

Testing

For testing, we're spinning up a minikube and adding the necessary CRDs and resources. For local development, you can execute:

minikube start
make apply-test-resources
make test

CI will do a similar setup: create a minikube cluster, apply the CRDs and resources, and execute the tests.

Merging to main will also trigger the tests, and it will create a semantic version tag if tests are successful.

Default Thresholds

This tool will analyse the number of vulnerabilities, and based on a threshold, it will either succeed or fail. The current defaults are

Critical: 2
High: -
Medium: -
Low: -
Unknown: -

Config file

Default config file

The application will try to read a config file to understand the configured thresholds. If left empty, it will try to read from ./config/config.yaml. You may specify the path by passing flag --config to the client. The config file has the following structure:

threshold:
  criticalCount: 2
  highCount: 1001
  mediumCount: 1002
  lowCount: 1003
  unknownCount: 1004

All fields are optional. If you leave any filed unspecified, it will have the default value described above.

Docker

You can build a docker image with the tool embedded in it. To build run:

make docker-build

To run the tool:

docker run -v <kube_config_path>:/root/.kube -v $(pwd):/cfg docker run vulcheck:latest <ingegration> -n <namespace> -i <image> -c  /cfg/vulnerability-config.yaml -t 60s

e.g.

docker run -v ${HOME}/.kube:/root/.kube -v $(pwd):/cfg vulcheck:latest trivy -n default -i ubuntu:latest  -c /cfg/testdata/config/config.yaml -t 60s

Directories ¶

Path	Synopsis
cmd
vulnerability-analysis
pkg
cmd
config
error
globalflags
kubernetes
report
root
trivy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL