github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-04-15 06:58:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
53f56676943918d3ebdc37feb2aea18eee6ceeb5
kubescape/cmd/patch
History
Anubhav Gupta 53f5667694 fix patch command logic 
Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
2023-09-01 09:43:09 +05:30
..
patch.go
fix patch command logic
2023-09-01 09:43:09 +05:30
README.md
feat: add kubescape patch command
2023-08-05 00:18:18 +05:30

README.md

Patch Command

The patch command is used for patching container images with vulnerabilities.
It uses copa and buildkit under the hood for patching the container images, and grype as the engine for scanning the images (at the moment).

Usage

kubescape patch --image <image-name> [flags]

The patch command can be run in 2 ways:

  1. With sudo privileges

    You will need to start buildkitd if it is not already running

    sudo buildkitd & 
sudo kubescape patch --image <image-name>

  2. Without sudo privileges

     export BUILDKIT_VERSION=v0.11.4
 export BUILDKIT_PORT=8888

 docker run \
     --detach \
     --rm \
     --privileged \
     -p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
     --name buildkitd \
     --entrypoint buildkitd \
     "moby/buildkit:$BUILDKIT_VERSION" \
     --addr tcp://0.0.0.0:$BUILDKIT_PORT

 kubescape patch \
     -i <image-name> \
     -a tcp://0.0.0.0:$BUILDKIT_PORT

Flags

Flag Description Required Default
-i, --image Image name to be patched (should be in canonical form) Yes
-r, --report Generate reports of the image scan before and after patching No false
-a, --addr Address of the buildkitd service No unix:///run/buildkit/buildkitd.sock
-t, --tag Tag of the resultant patched image No image_name-patched
--timeout Timeout for the patching process No 5m
-u, --username Username for the image registry login No
-p, --password Password for the image registry login No
-h, --help help for patch No

Example

We will demonstrate how to use the patch command with an example of nginx image.

Pre-requisites

  • docker daemon must be installed and running.
  • buildkit daemon must be installed

Steps

  1. Run buildkitd service:

    sudo buildkitd

  2. In a seperate terminal, run the kubescape patch command:

    sudo kubescape patch --image docker.io/library/nginx:1.22

  3. The output will be similar to:

    [info] Scanning image...
[success] Scanned image successfully
[info] Patching image...
...<logs>
[success] Patched image successfully
[info] Re-scanning image...
[success] Re-scanned image successfully
[info] Preparing results ...

Vulnerability summary:
Image: docker.io/library/nginx:1.22
  * Total CVE's  : 175
  * Fixable CVE's: 23

Image: docker.io/library/nginx:1.22-patched
   * Total CVE's  : 152
   * Fixable CVE's: 0

Limitations

  • The patch command can only fix OS-level vulnerability. It cannot fix application-level vulnerabilities. This is a limitation of copa. The reason behind this is that application level vulnerabilities are best suited to be fixed by the developers of the application. Hence, this is not really a limitation but a design decision.
  • No support for windows containers given the dependency on buildkit.
Reference in New Issue View Git Blame Copy Permalink