Skip to content
This repository has been archived by the owner on Feb 5, 2024. It is now read-only.

Latest commit

 

History

History
233 lines (184 loc) · 8.8 KB

README.md

File metadata and controls

233 lines (184 loc) · 8.8 KB

release Go Version Release License Tweet

iSKan | Kubernetes Native Image Scanning

iskan

Harness your existing Container Image Vulnerability Scanning information to your Kubernetes Cluster. iskan enables you to:

  • Plug one or more container image vulnerability providers such as ECR, GCR, Azure, Harbor and others
  • Analyse the running Pods and their containers for known vulnerabilities.
  • Control the scan scope to certain namespaces
  • Filter scan results by: Severity, CVSS Score, Fixable CVEs, and even snooze specific CVEs.
Supported Vulnerability Scan Providers
  • AWS ECR
  • GCP GCR
  • Azure ACR (Preview)
  • Rapid7 InsightVM (Preview)
  • Harbor - v2.0 API
  • Inline Local Scanner - Trivy (Experimental)

Install

Download the latest from the release page

curl https://raw.githubusercontent.com/alcideio/iskan/master/download.sh | bash

Usage

Scan Your Cluster

iskan --cluster-context mycluster --api-config myconfig.yaml
iskan cluster command reference(Click to expand)
  Get vulnerabilities information on the presently running containers

  Usage:
    iskan cluster [flags]

  Aliases:
    cluster, scan-cluster

  Flags:
    -c, --api-config string          The Vulnerability API configuration file name
        --cluster-context string     Cluster Context .use 'kubectl config get-contexts' to list available contexts
        --filter-cvss float32        Include CVEs with CVSS score greater or equal than the specified number. Valid values: 0.0-10.0
        --filter-fixable-only        Include CVEs with which are fixable
        --filter-severity string     Select which severities to include. Comma seperated MINIMAL,LOW,MEDIUM,HIGH,CRITICAL
    -f, --format string              Output format. Supported formats: json | yaml | html (default "json")
    -h, --help                       help for cluster
        --namespace-exclude string   Namespaces to exclude from the scan (default "kube-system")
        --namespace-include string   Namespaces to include in the scan (default "*")
    -o, --outfile string             Output file name. Use '-' to output to stdout (default "alcide-iskan.report")
    -r, --report-config string       The Report configuration file name
        --scan-api-burst int32       Maximum burst for throttle (default 100)
        --scan-api-qps float32       Indicates the maximum QPS to the vuln providers (default 30)

  Global Flags:
    -v, --v Level   number for the log level verbosity
Example Vulnerability API Configuration File (Click to expand)
providers:
  - kind: "gcr"
    repository: "gcr.io/yourproject"
    creds:
      gcr: |
        {
          "type": "service_account",
          "project_id": "yourproject",
          "private_key_id": "XXX",
          "private_key": "",
          "client_email": "imagevulreader@yourproject.iam.gserviceaccount.com",
          "client_id": "666",
          "auth_uri": "https://accounts.google.com/o/oauth2/auth",
          "token_uri": "https://oauth2.googleapis.com/token",
          "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
          "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/imagevulreader%40yourproject.iam.gserviceaccount.com"
        }
  - kind: "ecr"
    repository: "yourawsaccount.dkr.ecr.us-west-2.amazonaws.com/iskan"
    creds:
      ecr:
        accessKeyId: AWSKEY
        secretAccessKey: AWSSECRET
        region: us-west-2
  - kind: "acr"
    repository: "alcide.azurecr.io/iskan"
    creds:
      acr:
        tenantId: mytenantid
        subscriptionId: subscrrptionId
        clientId: clientId
        clientSecret: clientsecret
        cloudName: "AZUREPUBLICCLOUD"
  - kind: "trivy"
    # Use "*" for a capture all images
    repository: "*"
    creds:
      trivy:
        debugMode: false

  - kind: "harbor"
    repository: "core.harbor.domain"
    creds:
      harbor:
        host: "core.harbor.domain"
        username: admin
        password: Harbor12345
        insecure: false

  - kind: "insightvm"
    repository: "alcide/iskan"
    creds:
      insightvm:
        apikey: "your-api-key"
        region: "us"
Vulnerabilities Provider API References
Provider References
ECR ECR Policies, ECR Image Scanning
GCR Enabling the Container Scanning API
ACR Azure Defender, Vulnerability Assessment in Azure
InsightVM InsightVM Container Security
Harbor Harbor Administration
Trivy Trivy on GitHub

Scan Image

The primary use case for this is to test your vulnerability provider api configuration

Get vulnerabilities information for a given container image

Usage:
  iskan image [flags]

Aliases:
  image, scan-image, i, container, scan-container

Examples:
iskan image --image="gcr.io/myproj/path/to/myimage:v1.0" --api-config myconfig.yaml -f table --filter-severity CRITICAL,HIGH

Flags:
  -c, --api-config string        The Vulnerability API configuration file name
      --filter-cvss float32      Include CVEs with CVSS score greater or equal than the specified number. Valid values: 0.0-10.0
      --filter-fixable-only      Include CVEs with which are fixable
      --filter-severity string   Select which severities to include. Comma seperated MINIMAL,LOW,MEDIUM,HIGH,CRITICAL
  -f, --format string            Output format. Supported formats: json | yaml | table (default "json")
  -h, --help                     help for image
  -i, --image string             container image for which vulnerabilities information should be obtained

Global Flags:
  -v, --v Level   number for the log level verbosity

Milestones

Click To See List
  • Multiple Vulnerability API Providers (ECR, GCR)
  • Coverage Report
  • E2E
  • Binary Release
  • Scope & Exception Configuration
  • Docker Images
  • Cluster Scan CronJob (Helm Install)
  • Public image scan support using inline scan engine
  • Report export to 3rd party integrations (Slack, Webhook, ...)
  • Report formats (json, yaml)
  • Fancy HTML report
  • Examples & Documentation
  • Running in watch mode
  • kubectl iskan plugin

Contributing

Bugs

If you think you have found a bug please follow the instructions below.

  • Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate.
  • Open a new issue if a duplicate doesn't already exist.

Features

If you have an idea to enhance iskan follow the steps below.

  • Open a new issue.
  • Remember users might be searching for your issue in the future, so please give it a meaningful title to helps others.
  • Clearly define the use case, using concrete examples.
  • Feel free to include any technical design for your feature.

Pull Requests

  • Your PR is more likely to be accepted if it focuses on just one change.
  • Please include a comment with the results before and after your change.
  • Your PR is more likely to be accepted if it includes tests.
  • You're welcome to submit a draft PR if you would like early feedback on an idea or an approach.

Stargazers over time