* Refactoring of switch to if statement
* Edited the core/pkg/score/score.go
Signed-off-by: Dipankar Das <dipankardas0115@gmail.com>
* Changes to function comments
* core/pkg/registryadaptors/registryvulnerabilities/interfaces.go
Signed-off-by: Dipankar Das <dipankardas0115@gmail.com>
Signed-off-by: Dipankar Das <dipankardas0115@gmail.com>
* feat: unify severity threshold into one CLI flag
Before this commit, severity threshold flags were separated by severity.
This commit unifies these thresholds into one flag that forces Kubescape
to terminate with an exit code 1 if there was at least one failed
control at the specified severity threshold or above.
* chore: update opa utils version
* chore: update opa-utils in httphandler
* feat: dont enforce severity by default
Previous iteration of supporting the severity threshold enforced it even
if the severity threshold was not explicitly specified.
This change enforces the severity threshold only if it has been
explicitly set.
* refactor: clarify flagValidationFramework func name
This change clarifies the meaning of the function that validates the
scan info for the `scan framework` command.
It achieves this by renaming the `flagValidationFramework` function to
`validateFrameworkScanInfo`.
* Scan Kustomize Files
* update 'scam Kustomize Directory' documentation in Readme.md
* go get
* go get inside httphandler
* SourceTypeKustomizeDirectory
* Added Scan for Kustomization File
Co-authored-by: David Wertenteil <dwertent@armosec.io>
* add flag validation for --account-id (#605)
Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
* add flag validation for --client-id & --secret-key
Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
* Validation method should be a member function
* Adding unit tests for credentials validate
Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
Co-authored-by: David Wertenteil <dwertent@armosec.io>
* feat: fail on exceeding severity thresholds (#830)
- Add support for severity counters
- Add support for CLI flags that set severity thresholds
- Terminate Kubescape with an exit code 1 if scan results exceed the
severity thresholds
* Update opa-utils pkg version
Co-authored-by: Vlad Klokun <vladklokun@users.noreply.github.com>
* grammar error fixer in CONTRIBUTING.md
* scanning private git repository is available
* giturl to gitapi
* NO TOKEN error functionality added
* Used GetToken method of giturl.IGitAPPI for auth
Co-authored-by: satyam kale <satyamkale271@gmail.com>
Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
@@ -389,7 +389,7 @@ View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using k
* Apply changes you wish to make to the kubescape directory using text editors like `Vim`.
* [Build on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
* Now, you can use Kubescape just like a normal user. Instead of using `kubescape`, use `./kubescape`. (Make sure you are inside kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`.
* Now, you can use Kubescape just like a normal user. Instead of using `kubescape`, use `./kubescape`. (Make sure you are inside kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`)
logger.L().Warning("failed to collect image vulnerabilities",helpers.Error(err))
cautils.SetInfoMapForResources(fmt.Sprintf("failed to pull image scanning data: %s. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities",err.Error()),imgVulnResources,sessionObj.InfoMap)
cautils.SetInfoMapForResources("image scanning is not configured. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities",imgVulnResources,sessionObj.InfoMap)
cautils.SetInfoMapForResources("enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor",hostResources,sessionObj.InfoMap)
Kubescape roadmap items are labeled based on where the feature is used and by their maturity.
The features serve different stages of the workflow of the users:
* **Development phase** (writing Kubernetes manifests) - example: The VS Code extension is used while editing YAMLs.
* **CI phase** (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs.
* **CD phase** (deploying applications in Kubernetes) - example: running a cluster scan after a new deployment.
@@ -19,49 +20,77 @@ The items in the Kubescape roadmap are split into 3 major groups based on the fe
## Planning 👷
* ##### Storing scan results in cluster
We want Kubescape scan results (both cluster and image scan) to be stored in the cluster locally as `CRD`s. This will enable easier integration with results by other projects as well as with scripting via `kubectl`. This will also make image scan based controls to avoid accessing external resources for image vulnerability scan results.
* ### Storing scan results in cluster
We want the Kubescape scan results (both cluster and image scan) to be stored in the cluster locally as `CRD`s. This will lead to an easier integration with results by other projects as well as with scripting via `kubectl`. Along with this, the image scan based controls will be able to avoid accessing external resources for image vulnerability scan results.
* ### Vulnerability prioritization based on workload file activity
* ##### Vulnerability prioritization based on workload file activity
Implementing an eBPF agent (based on Falco or Tracee) which tracks file activity in workloads to prioritize container image vulnerabilities.
* ##### Prioritization engine using MITRE Attack matrix based attack chains
* ### Prioritization engine using MITRE Attack matrix based attack chains
Create a security issue prioritization engine that scores resources based on control based attack chains. All Kubescape controls can be arranged into attack categories of the MITRE Attack matrix. The Attack matrix categories can be connected to each other based on a theoretical attack (ie. you can't have privilege escalation without initial access). Each of the Kubescape controls is to be categorized in these system and Kubescape will calculate a priority score based on the interconnections between failed controls.
* ##### Integration with image registries
* ### Integration with image registries
We want to expand Kubescape to integrate with different image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities. Container registry integration.
* ##### Kubescape CLI control over cluster operations
* ### Kubescape CLI control over cluster operations
Add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger image scans, etc.)
* ##### Git integration for pull requests
* ### Git integration for pull requests
Create insightful GitHub actions for Kubescape.
## Backlog 📅
* ##### JSON path for HELM charts
* ### JSON path for HELM charts
Today, Kubescape can point to issues in the Kubernetes object. We want to develop this feature so Kubescape will be able to point to the misconfigured source file (HELM).
* ##### Create Kubescape HELM plugin
* ### Create Kubescape HELM plugin
Producing scan results in the context of HELM.
* ##### Kubescape based admission controller
* ### Kubescape based admission controller
Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies.
## Wishlist 💭
* ##### Integrate with other Kubernetes CLI tools
* ### Integrate with other Kubernetes CLI tools
Use Kubescape as a YAML validator for `kubectl` and others.
* ##### Kubernetes audit log integration
* ### Kubernetes audit log integration
Connect Kubescape to the audit log stream to enable it to produce more contextual security information based on how the API service is used.
* ##### TUI for Kubescape
* ### TUI for Kubescape
Interactive terminal based user interface which helps to analyze and fix issues.
* ##### Scanning images with GO for vulnerabilities
* ### Scanning images with GO for vulnerabilities
Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities.
* ##### Scanning Dockerfile-s for security best practices
* ### Scanning Dockerfile-s for security best practices
Scan image or Dockerfile to determine whether it is using security best practices (like root containers).
* ##### Custom controls and rules
* ### Custom controls and rules
Enable users to define their own Rego base rules.
* ##### More CI/CD tool integration
* ### More CI/CD tool integration
Jenkins and etc. 😀
## Completed features 🎓
* Kubelet configuration validation
* API server configuration validation
* Image vulnerability scanning based controls
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
