Discover vulnerabilities and container image misconfiguration in production environments.
The Cluster Scanner detects images in a Kubernetes cluster and provides fast feedback based on various security tests. It is recommended to run the Cluster Scanner in production environments in order to get up-to-date feedback on security issues where they have real impact.
Since the Cluster Scanner itself is a service running within your Kubernetes cluster you can re-use your existing deployment procedures.
The following figure provides an overview:
The following steps are conducted.
- The Image Collector, as the name suggests, collects the different images from a container environment like a kubernetes cluster. The Collector creates a JSON file and including information like the cluster, the responsible team, and image.
- The Orchestrator (implemented via ArgoWorkflows) starts the workflow periodically (e.g. nightly)
- The images from the Collector can be pulled by the Image Fetcher
- These files are kept in a separate directory and from there they are passed to the scanner
- This scanner - which then receives the libraries to be ignored via the suppressions file - then executes the scans described in the definitions of Dependency Check, Lifetime, Virus and further more.
- The vulnerability management system (in our case OWASP DefectDojo) then collects the results
- Non responded to findings are made available to the developers via a communication channel (Slack/Email).
Video (English): SDA SE CluserScanner is going Open Source, 2021-03
Images to be used by ArgoWorkflows are published in quay.io (2021-06-28):
quay.io/sdase/clusterscanner-scan-dependency-check
quay.io/sdase/clusterscanner-scan-runasroot
quay.io/sdase/clusterscanner-scan-distroless
quay.io/sdase/clusterscanner-scan-lifetime
quay.io/sdase/clusterscanner-imagefetcher
quay.io/sdase/clusterscanner-notifier
quay.io/sdase/clusterscanner-imagecollector
quay.io/sdase/clusterscanner-image-source-fetcher
quay.io/sdase/clusterscanner-workflow-runner
- quay.io/sdase/defectdojo-client
quay.io/sdase/clusterscanner-base
is the base for all quay.io/sdase/clusterscanner-*
images.
Images are build with buildah. The env. parameters the image can be started with are documented via --config within the build.sh scripts within the images.
We are looking forward to contributions. Take a look at our Contribution Guidelines before submitting Pull Requests.
The SECURITY.md includes information on responsible disclosure and security related topics like security patches.
The purpose of the ClusterScanner is not to replace the penetration testers or make them obsolete. We strongly recommend running extensive tests by experienced penetration testers on all your applications. The ClusterScanner is to be used only for testing purpose of your running applications/containers. You need a written agreement of the organization of the environment under scan to scan components with the ClusterScanner.
This project is developed by Signal Iduna and SDA SE.