We launched ChartCenter with vulnerability scanning from JFrog Xray and quickly realized that most charts have some components (and base layers inside containers) with vulnerabilities. These components are widely used and show up in many Helm chart dependencies.
Our goal is to work with Helm chart maintainers on creating safer charts moving forward. We’ve already had great discussions with partners on the value of seeing this information in one place, but they also had concerns about not having the correct level of control in mitigating issues - especially on the ChartCenter UI. We decided to build out a way for chart maintainers to provide “maintainer notes” and an overall “mitigation summary”. You can see how that works here.
Our next goal is to understand how to improve this feature. We’re considering creating a login experience where chart maintainers will have a dedicated portal on ChartCenter where they can login to and see a full list of vulnerabilities (high severity issues to low and unknown issues) and be able to tag CVE IDs inside the GUI to provide their notes. This feature is all about opening up the conversation between Helm chart users and Helm chart creators and making the community safer for all.
Proposal Details
Chart Maintainers should be able to:
Visit ChartCenter and be able to Create a Username if you have a chart on the center
Be able to login and see the full scan that JFrog Xray provides for public vulnerabilities
Be able to see high, medium, low, and unknown severities using the CVSS v2 ratings
Be able to tag CVE IDs in the UI and set a chart range
Be able to tag CVE IDs in the UI and set an application range
Be able to see statistics / graph view of security over time
Should the authenticated login also be able to support chart/repo inclusion?
The ability to toggle high severity issues on/off so there is time to mitigate.
Additional considerations
What would else would you like to see in an authenticated login experience regarding security and mitigation on ChartCenter?
Issue to Discuss
We launched ChartCenter with vulnerability scanning from JFrog Xray and quickly realized that most charts have some components (and base layers inside containers) with vulnerabilities. These components are widely used and show up in many Helm chart dependencies.
Our goal is to work with Helm chart maintainers on creating safer charts moving forward. We’ve already had great discussions with partners on the value of seeing this information in one place, but they also had concerns about not having the correct level of control in mitigating issues - especially on the ChartCenter UI. We decided to build out a way for chart maintainers to provide “maintainer notes” and an overall “mitigation summary”. You can see how that works here.
Our next goal is to understand how to improve this feature. We’re considering creating a login experience where chart maintainers will have a dedicated portal on ChartCenter where they can login to and see a full list of vulnerabilities (high severity issues to low and unknown issues) and be able to tag CVE IDs inside the GUI to provide their notes. This feature is all about opening up the conversation between Helm chart users and Helm chart creators and making the community safer for all.
Proposal Details
Chart Maintainers should be able to:
Additional considerations
What would else would you like to see in an authenticated login experience regarding security and mitigation on ChartCenter?