Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/estafette/estafette-vulnerability-scanner

An application that regularly scans all containers in a Kubernetes cluster for vulnerabilities
https://github.com/estafette/estafette-vulnerability-scanner

Last synced: 3 months ago
JSON representation

An application that regularly scans all containers in a Kubernetes cluster for vulnerabilities

Host: GitHub
URL: https://github.com/estafette/estafette-vulnerability-scanner
Owner: estafette
License: mit
Created: 2020-01-10T10:42:25.000Z (about 5 years ago)
Default Branch: main
Last Pushed: 2023-04-27T15:33:31.000Z (almost 2 years ago)
Last Synced: 2024-08-04T08:03:27.725Z (7 months ago)
Language: Go
Size: 521 KB
Stars: 51
Watchers: 4
Forks: 3
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# estafette-vulnerability-scanner

An application that regularly scans all images referenced by a Kubernetes cluster for vulnerabilities

[![License](https://img.shields.io/github/license/estafette/estafette-vulnerability-scanner.svg)](https://github.com/estafette/estafette-vulnerability-scanner/blob/master/LICENSE)

## Why?

In order to scan all used images in a cluster for vulnerabilities this application runs scans of all used images on an interval and outputs Prometheus metrics to indicate the problematic images and their vulnerabilities. The scanner makes use of the [Trivy](https://github.com/aquasecurity/trivy) scanner and only looks for vulnerabilities that already have a fix out, to keep any alerts actionable.

## Installation

Prepare using Helm:

```
brew install kubernetes-helm
```

Then install or upgrade with Helm:

```
helm repo add estafette https://helm.estafette.io
helm upgrade --install estafette-vulnerability-scanner --namespace estafette estafette/estafette-vulnerability-scanner
```

## Grafana dashboard

The dashboard can be imported into Grafana by loading the file at:

```
https://raw.githubusercontent.com/estafette/estafette-vulnerability-scanner/master/grafana/dashboard.json
```

![Grafana dashboard](https://raw.githubusercontent.com/estafette/estafette-vulnerability-scanner/master/grafana/grafana-dashboard.png)

## Prometheus alerts

To alert on detected vulnerabilities add the following alerting rules to Prometheus:

```yaml
groups:
- name: estafette-vulnerability-scanner
rules:
- alert: CriticalSeverity
expr: sum(estafette_vulnerability_scanner_detected_vulnerabilities{release="estafette-vulnerability-scanner",severity="CRITICAL"}) by (image) > 0
for: 1h
labels:
severity: page
annotations:
description: A CRITICAL vulnerability has been detected in image {{ $labels.image }}
summary: A CRITICAL vulnerability has been detected in image {{ $labels.image }}
- alert: NonCriticalSeverity
expr: sum(estafette_vulnerability_scanner_detected_vulnerabilities{release="estafette-vulnerability-scanner",severity=~"HIGH|MEDIUM|LOW|UNKNOWN"}) by (image) > 0
for: 1h
annotations:
description: A non-critical vulnerability has been detected in image {{ $labels.image }}
summary: A non-critical vulnerability has been detected in image {{ $labels.image }}
```