Open k0pper opened 2 years ago
In this particular moment we don't have something in the roadmap. But I do think your point are a good start to starting a discussion for the security side.
@christophd I think this could be of your interest
I would like to have some discussion on this: @christophd @squakez @davsclaus @lburgazzoli
I think this is something more general now: it's not only within containers, but in multiple runtimes.
We have camel-jbang and we could have some kind of subcommand to check the safety?
Problem
I am working on evaluating Kamelets from different point of views. One of them is the question, how to make sure containers that are spun up during the creation of an integration (whether with java or kamelets, I guess it doesn't matter for now) are safe.
Because there is no Code in Kamelets I quickly discarded the idea of Code-Scanning dependencies in Kamelets. Seems like there is neither a feature in Camel-K, nor another external tool that helps with that.
Possible Solution
I read about Container Scanning, and found some tools related to it like Clair, Trivy and the Container Scanning Feature in Snyk
Questions
But is there an accepted / proven way to do something like a container scan of containers that are generated by Camel-K from a KameletBinding? Does anyone have experience with that?
Is there something planned in the future in terms of scanning the dependencies directly from the Kamelet without building the container?
Bonus Question: When using Camel-K with minikube, how to access the actual images created from the Kamelets?
Alex