README
¶
estafette-vulnerability-scanner
An application that regularly scans all images referenced by a Kubernetes cluster for vulnerabilities
Why?
In order to scan all used images in a cluster for vulnerabilities this application runs scans of all used images on an interval and outputs Prometheus metrics to indicate the problematic images and their vulnerabilities. The scanner makes use of the Trivy scanner and only looks for vulnerabilities that already have a fix out, to keep any alerts actionable.
Installation
Prepare using Helm:
brew install kubernetes-helm
Then install or upgrade with Helm:
helm repo add estafette https://helm.estafette.io
helm upgrade --install estafette-vulnerability-scanner --namespace estafette estafette/estafette-vulnerability-scanner
Grafana dashboard
The dashboard can be imported into Grafana by loading the file at:
https://raw.githubusercontent.com/estafette/estafette-vulnerability-scanner/master/grafana/dashboard.json
Prometheus alerts
To alert on detected vulnerabilities add the following alerting rules to Prometheus:
groups:
- name: estafette-vulnerability-scanner
rules:
- alert: CriticalSeverity
expr: sum(estafette_vulnerability_scanner_detected_vulnerabilities{release="estafette-vulnerability-scanner",severity="CRITICAL"}) by (image) > 0
for: 1h
labels:
severity: page
annotations:
description: A CRITICAL vulnerability has been detected in image {{ $labels.image }}
summary: A CRITICAL vulnerability has been detected in image {{ $labels.image }}
- alert: NonCriticalSeverity
expr: sum(estafette_vulnerability_scanner_detected_vulnerabilities{release="estafette-vulnerability-scanner",severity=~"HIGH|MEDIUM|LOW|UNKNOWN"}) by (image) > 0
for: 1h
annotations:
description: A non-critical vulnerability has been detected in image {{ $labels.image }}
summary: A non-critical vulnerability has been detected in image {{ $labels.image }}
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.