Because Kubernetes is such popular nowadays, security plays a vital role. The DOKS Supply Chain Security blueprint main idea is to provide a starting point for developers to set up a CI/CD pipeline with integrated vulnerability scanning support. The main topic and ideas discussed is around supply chain security in the Kubernetes ecosystem.
In terms of tooling, we focus around Kubescape and Snyk. Then, we use two separate guides describing the two. The accompanying examples show the user how to create a standard CI/CD workflow using GitHub actions.
Main topics:
[x] Short introduction about each tool and features.
[x] Operation examples.
[x] GitHub workflow implementation of a typical CI/CD pipeline for both tools (Snyk, Kubescape).
[x] Export scan results to dashboards for later investigation (cloud portal, as well as GitHub Security).
[x] Scan results investigation and how to fix reported issues.
[x] Continuous monitoring for newly disclosed vulnerabilities.
[x] Basic Slack notification support.
[x] IDE support.
Additional topics to cover:
[x] Scan container images in the CI/CD pipeline (or GitHub workflow). Only Snyk supports this feature for now.
[ ] Image signing.
[ ] Admission controllers to allow or deny containers to run based on trust (works in conjunction with image signing).
Other enhancements and nice to haves:
[ ] Slack notifications sent from the GitHub workflow should include the desired and current risk score information for Kubescape (or security level for Snyk).
[ ] If possible, Slack notifications should present a cloud portal link which redirects to the application being scanned.
[x] Export scan results using GitHub SARIF format. Main benefit is that scan results can be viewed in the Security tab of the GitHub repo.
[ ] Run pipeline build steps only if source code changes - e.g. build and push app docker image only if the Dockerfile has changed and the image needs a rebuild.
Overview
Because Kubernetes is such popular nowadays, security plays a vital role. The DOKS Supply Chain Security blueprint main idea is to provide a starting point for developers to set up a CI/CD pipeline with integrated vulnerability scanning support. The main topic and ideas discussed is around supply chain security in the Kubernetes ecosystem.
In terms of tooling, we focus around Kubescape and Snyk. Then, we use two separate guides describing the two. The accompanying examples show the user how to create a standard CI/CD workflow using GitHub actions.
Main topics:
Additional topics to cover:
Other enhancements and nice to haves: