kubeclarity: tool for detection and management of (SBOM) and vulnerabilities of container images and filesystems

by ddos ·

kubeclarity

KubeClarity is a tool for the detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.

SBOM & vulnerability detection challenges

  • Effective vulnerability scanning requires an accurate Software Bill Of Materials (SBOM) detection:
    • Various programming languages and package managers
    • Various OS distributions
    • Package dependency information is usually stripped upon build
  • Which one is the best scanner/SBOM analyzer?
  • What should we scan: Git repos, builds, container images or runtime?
  • Each scanner/analyzer has its own format – how to compare the results?
  • How to manage the discovered SBOM and vulnerabilities?
  • How are my applications affected by a newly discovered vulnerability?

Solution

  • Separate vulnerability scanning into 2 phases:
    • Content analysis to generate SBOM
    • Scan the SBOM for vulnerabilities
  • Create a pluggable infrastructure to:
    • Run several content analyzers in parallel
    • Run several vulnerability scanners in parallel
  • Scan and merge results between different CI stages using KubeClarity CLI
  • Runtime K8s scan to detect vulnerabilities discovered post-deployment
  • Group scanned resources (images/directories) under defined applications to navigate the object tree dependencies (applications, resources, packages, vulnerabilities)

Features

  • Dashboard
    • Fixable vulnerabilities per severity
    • Top 5 vulnerable elements (applications, resources, packages)
    • New vulnerabilities trends
    • Package count per license type
    • Package count per programming language
    • General counters
  • Applications
    • Automatic application detection in K8s runtime
    • Create/edit/delete applications
    • Per application, navigation to related:
      • Resources (images/directories)
      • Packages
      • Vulnerabilities
      • Licenses in use by the resources
  • Application Resources (images/directories)
    • Per resource, navigation to related:
      • Applications
      • Packages
      • Vulnerabilities
  • Packages
    • Per package, navigation to related:
      • Applications
      • Linkable list of resources and the detecting SBOM analyzers
      • Vulnerabilities
  • Vulnerabilities
    • Per vulnerability, navigation to related:
      • Applications
      • Resources
      • List of detecting scanners
  • K8s Runtime scan
    • Automatic detection of target namespaces
    • Scan progress and result navigation per affected element (applications, resources, packages, vulnerabilities)
  • CLI (CI/CD)
    • SBOM generation using multiple integrated content analyzers (Syft, cyclonedx-gomod)
    • SBOM/image/directory vulnerability scanning using multiple integrated scanners (Grype, Dependency-track)
    • Merging of SBOM and vulnerabilities across different CI/CD stages
    • Export results to KubeClarity backend
  • API
    • The API for KubeClarity can be found here

High-level architecture

 

Kubernetes runtime scanner

Download

Copyright 2020 Portshift

Source: https://github.com/openclarity/

Tags: kubeclarity