Skip to content

Discover vulnerabilities and container image misconfiguration in production environments.

License

Notifications You must be signed in to change notification settings

SDA-SE/cluster-image-scanner

Repository files navigation

ClusterImageScanner

Logo

Discover vulnerabilities and container image misconfiguration in production environments.

Introduction

The ClusterImageScanner detects images in a Kubernetes cluster and provides fast feedback based on various security tests. It is recommended to run the ClusterImageScanner in production environments in order to get up-to-date feedback on security issues where they have real impact.

Since the ClusterImageScanner itself is a service running within your Kubernetes cluster you can re-use your existing deployment procedures.

Overview

The following figure provides an overview: Overview The following steps are conducted.

  1. The Image Collector, as the name suggests, collects the different images from a container environment like a kubernetes cluster. The Collector creates a JSON file and including information like the cluster, the responsible team, and image.
  2. The Orchestrator (implemented via ArgoWorkflows) starts the workflow periodically (e.g. nightly)
  3. The images from the Collector can be pulled by the Image Fetcher
  4. These files are kept in a separate directory and from there they are passed to the scanner
  5. Multiple scanner are used, e.g. Dependency Track, Lifetime, Malware and further more.
  6. The vulnerability management system (in our case OWASP DefectDojo) then collects the results
  7. Non responded to findings are made available to the developers via a communication channel (Slack/Email).

Documentation Table of Contents

Video (English): SDA SE CluserImageScanner is going Open Source, 2021-03

Images

Images to be used by ArgoWorkflows are published in quay.io (2021-06-28):

  • cluster-image-scanner-scan-runasroot
  • cluster-image-scanner-scan-distroless
  • cluster-image-scanner-scan-lifetime
  • cluster-image-scanner-scan-malware
  • cluster-image-scanner-scan-new-version
  • cluster-image-scanner-imagefetcher
  • cluster-image-scanner-notifier
  • cluster-image-scanner-imagecollector
  • cluster-image-scanner-image-source-fetcher
  • cluster-image-scanner-workflow-runner
  • quay.io/sdase/image-metadata-collector
  • quay.io/sdase/defectdojo-client

cluster-image-scanner-base is the base for all cluster-image-scanner-* images.

Images are build with buildah. The env. parameters the image can be started with are documented via --config within the build.sh scripts within the images.

Contributing

We are looking forward to contributions. Take a look at our Contribution Guidelines before submitting Pull Requests.

Responsible Disclosure and Security

The SECURITY.md includes information on responsible disclosure and security related topics like security patches.

Deployment

Test

cd test_actions
export IS_MINIKUBE=true # if minikube is used
./setup.bash

Production

helm files are in deployment/helm.

Legal Notice

The purpose of the ClusterImageScanner is not to replace the penetration testers or make them obsolete. We strongly recommend running extensive tests by experienced penetration testers on all your applications. The ClusterImageScanner is to be used only for testing purpose of your running applications/containers. You need a written agreement of the organization of the environment under scan to scan components with the ClusterScanner.

Author Information

This project is developed by Signal Iduna and SDA SE.