{"id":48088099,"url":"https://github.com/tnoff/oke-security-scanner","last_synced_at":"2026-04-04T15:25:49.328Z","repository":{"id":330369507,"uuid":"1121397060","full_name":"tnoff/oke-security-scanner","owner":"tnoff","description":"OKE Image Security Scanner","archived":false,"fork":false,"pushed_at":"2026-03-23T21:54:55.000Z","size":296,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-24T02:03:23.382Z","etag":null,"topics":["docker","k8s","oci","oke","security-scan"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tnoff.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-12-22T23:40:58.000Z","updated_at":"2026-03-23T21:54:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tnoff/oke-security-scanner","commit_stats":null,"previous_names":["tnoff/oke-security-scanner"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/tnoff/oke-security-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tnoff%2Foke-security-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tnoff%2Foke-security-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tnoff%2Foke-security-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tnoff%2Foke-security-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tnoff","download_url":"https://codeload.github.com/tnoff/oke-security-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tnoff%2Foke-security-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31403958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","k8s","oci","oke","security-scan"],"created_at":"2026-04-04T15:25:47.272Z","updated_at":"2026-04-04T15:25:49.305Z","avatar_url":"https://github.com/tnoff.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OKE Security Scanner\n\nAutomated vulnerability scanning for Docker images deployed in Oracle Kubernetes Engine (OKE) with OpenTelemetry observability.\n\n## Features\n\n| Feature | OKE Specific | Description |\n| ------- | ------------ | ----------- |\n| Security Scanner | No | Fetches all images in K8s cluster and runs trivy scanner |\n| Image Update Report | No | Checks for new versions of deployed images |\n| Image Cleanup | Yes | Cleanup OCIR images that do not match semver versioning |\n| OKE Node Image Check | Yes | Reports outdated OKE node/boot images for node pools |\n| Cache Management | No | Automatic cleanup of Trivy image cache after each scan to minimize disk usage |\n\n## Install and Usage\n\nInstall the requirements locally and run\n\n```\n$ pip install requirements.txt\n$ python -m src.main\n```\n\nOr use the docker build\n\n```\n$ docker build .\n```\n\n## Authentication\n\n### Kubernetes\nFor kubernetes auth, you can use local auth creds or give a pod permissions to view the deployed images. See the [k8s](./k8s) folder for example auth roles.\n\n### OCI SDK\n\nThe scanner uses the OCI Python SDK for OCIR operations. It automatically derives:\n- **OCI Registry URL** from the region in your OCI config (e.g., `us-ashburn-1` → `iad.ocir.io`)\n- **OCI Namespace** from the Object Storage API\n\nConfigure your OCI credentials in `~/.oci/config`:\n\n```ini\n[DEFAULT]\nuser=ocid1.user.oc1..your-user-ocid\nfingerprint=your:fingerprint:here\ntenancy=ocid1.tenancy.oc1..your-tenancy-ocid\nregion=us-ashburn-1\nkey_file=~/.oci/oci_api_key.pem\n```\n\n### Docker Registry (`~/.docker/config.json`)\n\nDocker credentials from `~/.docker/config.json` are used in two places:\n- **Trivy** uses them to pull images for vulnerability scanning.\n- **Image Cleanup** uses them to fetch manifests via the Docker V2 API. When a kept image is a manifest list (multi-arch), the scanner reads its sub-manifests and protects them from deletion, preventing \"manifest unknown\" pull errors in the cluster.\n\n## Cache Management\n\nThe scanner automatically manages Trivy's cache to minimize disk usage, which is important when running in Kubernetes with ephemeral storage.\n\nAfter each image scan, the scanner removes the `fanal/` directory (cached image layers) while preserving:\n- `db/` - Vulnerability database (~50MB, updated once per run)\n- `java-db/` - Java vulnerability index\n\nThis approach:\n- Prevents disk exhaustion when scanning many large images\n- Avoids re-downloading the vulnerability database for each scan\n- Ensures cleanup happens even if scans fail or timeout\n\nThe Trivy cache is located at `~/.cache/trivy/` (or `$TRIVY_CACHE_DIR` if set).\n\n## Configuration\n\n### Environment Variables\n\nAll configuration is provided via Kubernetes secrets as environment variables:\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `OTLP_ENDPOINT` | No | `http://localhost:4317` | OTLP collector endpoint |\n| `OTLP_INSECURE` | No | `true` | Use insecure gRPC connection |\n| `OTLP_TRACES_ENABLED` | No | `true` | Enable OTLP trace export |\n| `OTLP_METRICS_ENABLED` | No | `true` | Enable OTLP metrics export |\n| `OTLP_LOGS_ENABLED` | No | `true` | Enable OTLP logs export |\n| `TRIVY_SEVERITY` | No | `CRITICAL,HIGH` | Vulnerability severities to report |\n| `TRIVY_TIMEOUT` | No | `300` | Scan timeout in seconds |\n| `TRIVY_PLATFORM` | No | (auto) | Target platform for Trivy scans (e.g. `linux/amd64`) |\n| `SCAN_NAMESPACES` | No | (all) | Comma-separated namespaces to scan |\n| `EXCLUDE_NAMESPACES` | No | `kube-system,...` | Namespaces to exclude |\n| `DISCORD_WEBHOOK_URL` | No | (disabled) | Discord webhook URL for scan notifications |\n| `OCIR_CLEANUP_ENABLED` | No | `false` | Enable automatic deletion of old OCIR commit hash tags |\n| `OCIR_CLEANUP_KEEP_COUNT` | No | `5` | Number of recent commit hash tags to keep per repository |\n| `OCIR_EXTRA_REPOSITORIES` | No | `''` | Check extra repos for old images to remove |\n| `OKE_IMAGE_CHECK_ENABLED` | No | `false` | Enable OKE node image version checking |\n| `OKE_CLUSTER_OCID` | No | (required if enabled) | OCID of the OKE cluster to check node images for |\n\n\n## Required Permissions\n\nTo enable OCIR cleanup, the OCI user/principal must have the `manage repos in compartment \u003cname\u003e` permission for each compartment containing OCIR repositories. See the Prerequisites section for full IAM policy details.\n\n\n## Reporting\n\nLogs enabled to console by default, traces and metrics can also be enabled through OTLP.\n\nDiscord webhook can also be provded to send a readable report as well.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftnoff%2Foke-security-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftnoff%2Foke-security-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftnoff%2Foke-security-scanner/lists"}