{"id":26127433,"url":"https://github.com/banzaicloud/anchore-image-validator","last_synced_at":"2025-04-13T16:53:34.318Z","repository":{"id":33040563,"uuid":"148792724","full_name":"banzaicloud/anchore-image-validator","owner":"banzaicloud","description":" Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.","archived":false,"fork":false,"pushed_at":"2023-04-05T03:57:05.000Z","size":6696,"stargazers_count":44,"open_issues_count":3,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-27T07:48:04.023Z","etag":null,"topics":["cloud-native","golang","kubernetes","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/banzaicloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-14T13:30:49.000Z","updated_at":"2023-10-13T08:52:34.000Z","dependencies_parsed_at":"2024-06-18T21:16:31.827Z","dependency_job_id":"92f78517-456a-4c19-88e1-8e96ca458133","html_url":"https://github.com/banzaicloud/anchore-image-validator","commit_stats":null,"previous_names":[],"tags_count":47,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/banzaicloud%2Fanchore-image-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/banzaicloud%2Fanchore-image-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/banzaicloud%2Fanchore-image-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/banzaicloud%2Fanchore-image-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/banzaicloud","download_url":"https://codeload.github.com/banzaicloud/anchore-image-validator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248750009,"owners_count":21155682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","golang","kubernetes","security"],"created_at":"2025-03-10T18:08:17.546Z","updated_at":"2025-04-13T16:53:34.295Z","avatar_url":"https://github.com/banzaicloud.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/banzaicloud/anchore-image-validator)](https://goreportcard.com/report/github.com/banzaicloud/anchore-image-validator)\n![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)\n[![Docker Automated build](https://img.shields.io/docker/automated/banzaicloud/anchore-image-validator.svg)](https://hub.docker.com/r/banzaicloud/anchore-image-validator/)\n# Anchore Image Validator\n\nAnchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.\n\nThis repository contains an [admission webhook](https://banzaicloud.com/blog/k8s-admission-webhooks/) server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.\n\n- If an image is not valid, the release can be added to a *whitelist* resource (CRD) to bypass the blocking.\n- The results of image checks are stored as an *audit* resource (CRD) in a sructured format.\n\n## Installing\n\n### Helm install\n\nInstall from banzaicloud-stable repository\n\nAdd repository\n```\n$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/\n$ helm repo update\n```\n\nInstall chart\n```\n$ helm install --set externalAnchore.anchoreHost=\u003cmy.anchore.host\u003e  --set externalAnchore.anchoreUser=\u003cusername\u003e --set externalAnchore.anchorePass=\u003cpassword\u003e banzaicloud-stable/anchore-policy-validator\n```\n\n### Manual install\nFor manual install you need to define the following environment variables\n\n|           ENV          |       Descripton      |\n|------------------------|-----------------------|\n|ANCHORE_ENGINE_USERNAME |Anchore-engine username|\n|ANCHORE_ENGINE_PASSWORD |Anchore-engine password|\n|ANCHORE_ENGINE_URL      |Anchore-engine URL     |\n\n\n### Accessing banzaicloud security features via Kubernetes api:\n\n```shell\n$ curl http://\u003ck8s apiserver\u003e/apis/security.banzaicloud.com/v1alpha1\n```\n\n```json\n{\n  \"kind\": \"APIResourceList\",\n  \"apiVersion\": \"v1\",\n  \"groupVersion\": \"security.banzaicloud.com/v1alpha1\",\n  \"resources\": [\n    {\n      \"name\": \"whitelistitems\",\n      \"singularName\": \"whitelistitem\",\n      \"namespaced\": false,\n      \"kind\": \"WhiteListItem\",\n      \"verbs\": [ ... ],\n      \"shortNames\": [\n        \"wl\"\n      ]\n    },\n    {\n      \"name\": \"audits\",\n      \"singularName\": \"audit\",\n      \"namespaced\": false,\n      \"kind\": \"Audit\",\n      \"verbs\": [ ... ]\n    }\n  ]\n}\n```\n\n#### Resources accessible via `kubectl` command:\n\n```shell\n$ kubectl get whitelist\n$ kubectl get audit\n```\n\n\n#### Example whitelist:\n\n```yaml\napiVersion: security.banzaicloud.com/v1alpha1\nkind:  WhiteListItem\nmetadata:\n  name: \u003cname of helm release\u003e\nspec:\n  reason: \u003cwhitelisting reason\u003e\n  creator: \u003ccreator\u003e\n  [regexp:] \u003coptional\u003e\n```\n\n#### Example audit:\n\n```yaml\napiVersion: security.banzaicloud.com/v1alpha1\nkind:  Audit\nmetadata:\n  name: \u003cname of audit (generated from Pod OwnerReference)\u003e\n  ownerReferences:\n  - \u003cscanned Pod OwnerReference\u003e\nspec:\n  releaseName: \u003chelm release name\u003e\n  resource: pod\n  image:\n    - imageName\": \"docker.io/image-name1\",\n      imageTag\": \"latest\",\n      imageDigest\": \"sha256:abcd1\",\n      lastUpdated\": \"2018-11-11T14:35:38Z\"\n    - imageName\": \"docker.io/image-name2\",\n      imageTag\": \"latest\",\n      imageDigest\": \"sha256:abcd2\",\n      lastUpdated\": \"2018-11-11T14:35:38Z\"\n  result:\n    - \u003cdocker.io/image-name1 scan result\u003e\n    - \u003cdocker.io/image-name1 scan result\u003e\n  action: \u003callow or reject\u003e\nstatus:\n  [state:] \u003coptional\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbanzaicloud%2Fanchore-image-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbanzaicloud%2Fanchore-image-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbanzaicloud%2Fanchore-image-validator/lists"}