kubei v2.4 releases: tool for detection and management of (SBOM) and vulnerabilities of container images and filesystems

kubei

KubeClarity is a tool for the detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.

SBOM & vulnerability detection challenges

• Effective vulnerability scanning requires an accurate Software Bill Of Materials (SBOM) detection:
  • Various programming languages and package managers
  • Various OS distributions
  • Package dependency information is usually stripped upon build
• Which one is the best scanner/SBOM analyzer?
• What should we scan: Git repos, builds, container images or runtime?
• Each scanner/analyzer has its own format – how to compare the results?
• How to manage the discovered SBOM and vulnerabilities?
• How are my applications affected by a newly discovered vulnerability?

Solution

• Separate vulnerability scanning into 2 phases:
  • Content analysis to generate SBOM
  • Scan the SBOM for vulnerabilities
• Create a pluggable infrastructure to:
  • Run several content analyzers in parallel
  • Run several vulnerability scanners in parallel
• Scan and merge results between different CI stages using KubeClarity CLI
• Runtime K8s scan to detect vulnerabilities discovered post-deployment
• Group scanned resources (images/directories) under defined applications to navigate the object tree dependencies (applications, resources, packages, vulnerabilities)

Features

• Dashboard
  • Fixable vulnerabilities per severity
  • Top 5 vulnerable elements (applications, resources, packages)
  • New vulnerabilities trends
  • Package count per license type
  • Package count per programming language
  • General counters
• Applications
  • Automatic application detection in K8s runtime
  • Create/edit/delete applications
  • Per application, navigation to related:
    • Resources (images/directories)
    • Packages
    • Vulnerabilities
    • Licenses in use by the resources
• Application Resources (images/directories)
  • Per resource, navigation to related:
    • Applications
    • Packages
    • Vulnerabilities
• Packages
  • Per package, navigation to related:
    • Applications
    • Linkable list of resources and the detecting SBOM analyzers
    • Vulnerabilities
• Vulnerabilities
  • Per vulnerability, navigation to related:
    • Applications
    • Resources
    • List of detecting scanners
• K8s Runtime scan
  • Automatic detection of target namespaces
  • Scan progress and result navigation per affected element (applications, resources, packages, vulnerabilities)
• CLI (CI/CD)
  • SBOM generation using multiple integrated content analyzers (Syft, cyclonedx-gomod)
  • SBOM/image/directory vulnerability scanning using multiple integrated scanners (Grype, Dependency-track)
  • Merging of SBOM and vulnerabilities across different CI/CD stages
  • Export results to KubeClarity backend
• API
  • The API for KubeClarity can be found here

High-level architecture

Changelog v2.4

260fd36 UI small updates (#184)
fdf98f0 doc: update logo (#174)
3712f7e e2e tests (#164)
0f1937d feat(charts): resource limits (#182)
ef03ccd feat(helm): make scanner jobs and pods labels configurable (#180)
7f5409a feat(helm): make scanner pods tolerations configurable (#189)
453bf89 feat: display scan end time (#194)
b1ae91f fix: applications modal alignment & label details (#193)
04b4bf2 fix: image parsing issue in the case of SBOM input. (#178)
613daf8 fix: remove high and critical vulnerabilities (#190)
0a36be2 fix: replace github.com/hashicorp/go-getter (#196)

Download

Copyright 2020 Portshift

Source: https://github.com/Portshift/