sokube / kciss

Apache License 2.0
3 stars 2 forks source link

possible migration to the trivy-operator #12

Open Frankkkkk opened 2 years ago

Frankkkkk commented 2 years ago

The trivy-operator is a really recent project (created last month) which seems to be taking off fast. Their goal seems tightly related to kciss.

Among other things, it offers the VulnerabilityReport CRD which represents the trivy vulnerabilities for each of the running images in a cluster. For example:

$ kl get vulnerabilityreports.aquasecurity.github.io  -o wide
NAME                                REPOSITORY       TAG      SCANNER   AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
replicaset-nginx-59776c8fb-nginx    library/nginx    1.16     Trivy     105s    37         75     53       116   1
replicaset-nginx-59776c8fb-ubuntu   library/ubuntu   latest   Trivy     105s    0          0      6        15    0

It would be interesting to know how kciss could delegate some of its tasks to the trivy operator (even maybe all of them).AFAIK, the following features of kciss are:

What do you think ? I think that we should wait a bit to see where the trivy operator project goes and then either deprecate kciss or convert it to a plugin that would rely on trivy-operator.

JGodin-C2C commented 2 years ago

Hey there, So, FYI, this is the kind of report that the exporter actually brings up :

trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Critical"} 5
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="High"} 24
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Low"} 0
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Medium"} 4
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Unknown"} 0

Please note the "name" field that point to the actually full report in the namespace of the pod. Also, aquasecurity document how to use a private registry.
https://aquasecurity.github.io/trivy-operator/v0.0.8/vulnerability-scanning/private-registries/