Giter Site home page Giter Site logo

hnts / vulnerability-exporter Goto Github PK

View Code? Open in Web Editor NEW
26.0 3.0 2.0 509 KB

A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

License: MIT License

Go 98.63% Dockerfile 1.37%
kubernetes prometheus-exporter trivy prometheus vulnerability-management

vulnerability-exporter's Introduction

Kubernetes Vulnerability Exporter

A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Abstract

! This project is under development.

Vulnerability exporter scan and export vulnerabilities of images and nodes in kubernetes cluster.

Inspirated by kube-trivy-expoter.

Image Scan

Image Scan scans for vulnerabilities in container images of workloads deployed in kubernetes.

trivy_image_vulnerabilities{namespace="argocd", fixedVersion="0.3.3", image="ghcr.io/dexidp/dex:v2.27.0", installedVersion="v0.3.2",layer="sha256:d8d076827e5aadd843d9da261228639f575be6e840b463e99381e6d861be90fc", pkgName="golang.org/x/text", severity="HIGH", vulnerabilityId="CVE-2020-14040", workloadKind="Deployment", workloadName="argocd-dex-server"}

View metrics by using Grafana

image_scan_metrics

Node Scan

Image Scan scans vulnerabilities of the nodes of kuberntes cluster.

trivy_node_vulnerabilities{fixedVersion="0.12.3", installedVersion="0.12.2",nodeName="master-node", pkgName="Flask", severity="HIGH" vulnerabilityId="CVE-2018-1000656"}

View metrics by using Grafana

node_scan_metrics

Installation

$ kubectl apply -k deploy

vulnerability-exporter's People

Contributors

hnts avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

bhishma14

vulnerability-exporter's Issues

Bug: Cannot scan images in cluster

While testing your promising project, I got multiple issues with image scanning manifesting themselves with log a message as follows:

W0125 13:00:47.694272       1 image.go:112] failed to scan image(quay.io/prometheus/alertmanager:v0.23.0): failed to execute trivy image: exit status 1: 2022-01-25T13:00:47.692Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

This is happening for all containers.

The application was installed using manifests in deploy directory but in a different namespace. All namespace-related settings were amended.

I can provide more info if needed, just tell me what you need :)

Trivy scanner detects critical vulnerability

Please fix: github.com/containerd/containerd

ghcr.io/hnts/vulnerability-exporter@sha256:0f5de554a9fd29f5293206bbdf4a755d7bdfcb2936e7afc3ca703de2f9426037 (alpine 3.15.0)
================================================================================================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


bin/vulnerability-exporter (gobinary)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/trivy (gobinary)
==============================
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

+--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
|               LIBRARY                | VULNERABILITY ID | SEVERITY |          INSTALLED VERSION           | FIXED VERSION |                 TITLE                 |
+--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
| github.com/containerd/containerd     | CVE-2021-43816   | CRITICAL | v1.5.8                               | 1.5.9         | containerd: Unprivileged pod          |
|                                      |                  |          |                                      |               | may bind mount any privileged         |
|                                      |                  |          |                                      |               | regular file on disk...               |
|                                      |                  |          |                                      |               | -->avd.aquasec.com/nvd/cve-2021-43816 |
+--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
| github.com/opencontainers/image-spec | GMS-2021-101     | UNKNOWN  | v1.0.2-0.20190823105129-775207bd45b6 | 1.0.2         | Clarify `mediaType` handling          |
+--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+

Not working with Bottlerocket OS / containerd runtime

Hi,

i have tested it on AWS EKS and Bottlerocket OS. And it is not working:

I0203 07:15:50.989758 1 root.go:80] Start vulnerability-exporter │ │ W0203 07:16:23.033610 1 image.go:124] failed to scan image(602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): failed to execute trivy image: exit status 1: 2022-02-03T07:16:22.986Z FATAL │ │ * unable to inspect the image (602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? │ │ * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory

Bottlerocket use containerd and not docker runtime.

Versions:

EKS: v1.21.5-eks-bc4871b
AMI: bottlerocket-aws-k8s-1.21-x86_64-v1.5.2-1602f3a8
Image: ghcr.io/hnts/vulnerability-exporter:v0.1.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.