PT-BR Version: Here
This docker image scanner scans the entire kubernetes cluster looking for pods, performing a vulnerability scan on images.
The result of the scans is provided by the trivy and is converted to the Prometheus format.
When the software starts, it performs a "setup", which creates the necessary directories for operation;
After that, the http server is started, but without information (/metrics response nothing).
Afterwards, the scan threads are started. As the internal queue objects are consumed, the results are stored in memory for the following steps (generation of prometheus points and finding out if the pod is available on the internet via ingress).
The final step is to perform a cleanup that removes all temporary files generated by trivy.
After all, the script "sleeps" (but the http endpoints continue to work), waiting for its next execution.
After executing the scans, when consolidating the scans, a query is made on all entries in the cluster.
In ingress, it contains the service that that path is associated with;
With the service, we find out which selector was used to create the endpoint (referring to that service);
Reading the endpoint, we have information about which pods are part of that endpoint.
When the pod is found at the endpoints, a mark is made: isPublic: true
When a pod has in its specification the entry `` yaml imagePullSecrets:
- name: secret
``
The script reads the specified secret and looks for the key
.dockerconfigjson. If not found, an error is reported and the scanning for that image does not happen. If you don't find the secret, that image will not be scanned either.
| Metric name | Metric type | Labels / tags |
|---|---|---|
| pod_security_issue | Gauge | PodName = pod-name; Namespace = pod-namespace Image = Docker image with tag IsPublic = Is exposed on ingress? BaseOS = SO Base of image VulnerabilityID = CVE ID PkgName = Vulnerable package name InstalledVersion = Vulnerable package version FixedVersion = Corrected package version Severity = CVE severity |
All parameters of this scanner are adjustable via environment variables.
| Variable | Default Value | Required | Description |
|---|---|---|---|
| LOG_LEVEL | info | no | App log level. Supported values: info, warning, debug, fatal, critical. |
| TRIVY_REPORT_DIR | /tmp/trivyreport | no | Temporary location where trivy reports will be saved |
| SCAN_INTERVAL | 43200 | no | Time in seconds of the execution interval |
| HTTP_PORT | 8080 | no | Port where the endpoint will listen |
| TRIVY_BIN_PATH | ./trivy | no | trivy binary path |
Test coverage: 
make testsThe production build is done in Google Build
By creating a new tag, this will sensitize a new build. (the trigger is v. +)
Makefile uses the bumpversion utility to create the tags and push to the git repo.
| Make Option | Action |
|---|---|
| patch | Generates a patch version (X.Y. ** Z **). |
| minor | Generates a minor version (X. ** Y **. Z). |
| major | Ger a major version (** X **. Y.Z). |
| build-dev | local build |
-
Scan of images hosted on quay.io. Quay does not support the registry api v2 so it is not possible to scan these images.
This error can happen with any other registry that does not implement api v2.
See more about this error at: google/go-containerregistry#377