Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add Rekor SBOM attestation scanning #2893

Merged
merged 2 commits into from Sep 16, 2022
Merged

docs: add Rekor SBOM attestation scanning #2893

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eb5101e
docs: add Rekor SBOM attestation scanning
knqyf263 Sep 15, 2022
303b03b
docs: update the command output
knqyf263 Sep 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
58 changes: 58 additions & 0 deletions docs/docs/attestation/rekor.md
View file
Open in desktop
@@ -0,0 +1,58 @@
# Scan SBOM attestation in Rekor

!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.

Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.

## Prerequisites
1. SBOM attestation stored in Rekor
- See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.


## Scanning
You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.

!!! note
`--sbom-sources` can be used only with `trivy image` at the moment.

```bash
$ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy]
2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled
2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine
2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities...
2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0
2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided

otms61/alpine:3.7.3 (alpine 3.7.3)
==================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

```

If you have your own Rekor instance, you can specify the URL via `--rekor-url`.

```bash
$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
```

[rekor]: https://github.com/sigstore/rekor
[sbom-attest]: sbom.md#keyless-signing
1 change: 1 addition & 0 deletions docs/docs/attestation/sbom.md
View file
Open in desktop
Expand Up @@ -48,6 +48,7 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
```bash
# The cyclonedx type is supported in Cosign v1.10.0 or later.
$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
# The following command uploads SBOM attestation to the public Rekor instance.
$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
```

Expand Down
2 changes: 1 addition & 1 deletion docs/tutorials/kubernetes/kyverno.md
View file
Open in desktop
Expand Up @@ -8,7 +8,7 @@ This tutorial details

### Prerequisites
1. [Attestation of the vulnerability scan uploaded][vuln-attestation]
3. A running Kubernetes cluster that kubectl is connected to
2. A running Kubernetes cluster that kubectl is connected to

### Kyverno Policy to check attestation

Expand Down
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Open in desktop
Expand Up @@ -98,6 +98,7 @@ nav:
- Attestation:
- SBOM: docs/attestation/sbom.md
- Cosign Vulnerability Scan Record: docs/attestation/vuln.md
- SBOM Attestation in Rekor: docs/attestation/rekor.md
- Advanced:
- Modules: docs/advanced/modules.md
- Plugins: docs/advanced/plugins.md
Expand Down
4 changes: 2 additions & 2 deletions pkg/flag/scan_flags.go
View file
Open in desktop
Expand Up @@ -42,13 +42,13 @@ var (
Name: "sbom-sources",
ConfigName: "scan.sbom-sources",
Value: []string{},
Usage: "EXPERIMENTAL: SBOM sources (rekor)",
Usage: "[EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)",
}
RekorURLFlag = Flag{
Name: "rekor-url",
ConfigName: "scan.rekor-url",
Value: "https://rekor.sigstore.dev",
Usage: "EXPERIMENTAL: URL of Rekor server",
Usage: "[EXPERIMENTAL] address of rekor STL server",
}
)

Expand Down