Kubescape roadmap items are labeled based on where the feature is used and by their maturity.
The features serve different stages of the workflow of the users:
- Development phase (writing Kubernetes manifests) - example: The VS Code extension is used while editing YAMLs.
- CI phase (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs.
- CD phase (deploying applications in Kubernetes) - example: running a cluster scan after a new deployment.
- Monitoring phase (scanning application in Kubernetes) - example: Prometheus scraping the cluster security risk.
The items in the Kubescape roadmap are split into 3 major groups based on the feature planning maturity:
- Planning - we have tickets open for these issues with a more or less clear vision of design.
- Backlog - features that were discussed at a high level but are not ready for development.
- Wishlist - features that we are dreaming of in 😀 and want to push them gradually forward.
-
We want the Kubescape scan results (both cluster and image scan) to be stored in the cluster locally as
CRDs. This will lead to an easier integration with results by other projects as well as with scripting viakubectl. Along with this, the image scan based controls will be able to avoid accessing external resources for image vulnerability scan results. -
Implementing an eBPF agent (based on Falco or Tracee) which tracks file activity in workloads to prioritize container image vulnerabilities.
-
Create a security issue prioritization engine that scores resources based on control based attack chains. All Kubescape controls can be arranged into attack categories of the MITRE Attack matrix. The Attack matrix categories can be connected to each other based on a theoretical attack (ie. you can't have privilege escalation without initial access). Each of the Kubescape controls is to be categorized in these system and Kubescape will calculate a priority score based on the interconnections between failed controls.
We want to expand Kubescape to integrate with different image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities. Container registry integration.
-
Add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger image scans, etc.)
-
Create insightful GitHub actions for Kubescape.
-
Today, Kubescape can point to issues in the Kubernetes object. We want to develop this feature so Kubescape will be able to point to the misconfigured source file (HELM).
-
Producing scan results in the context of HELM.
-
Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies.
-
Use Kubescape as a YAML validator for
kubectland others. -
Connect Kubescape to the audit log stream to enable it to produce more contextual security information based on how the API service is used.
-
Interactive terminal based user interface which helps to analyze and fix issues.
-
Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities.
-
Scan image or Dockerfile to determine whether it is using security best practices (like root containers).
-
Enable users to define their own Rego base rules.
-
Jenkins and etc. 😀
- Kubelet configuration validation
- API server configuration validation
- Image vulnerability scanning based controls
- Assisted remediation (telling where/what to fix)
- Integration with Prometheus
- Configuration of controls (customizing rules for a given environment)
- Installation in the cluster for continuous monitoring
- Host scanner
- Cloud vendor API integration
- Custom exceptions
- Custom frameworks