Anaïs Urlichs
Rory McCune
Note:
We can't cover all the options here. The second bit is for Trivy which has binaries for Linux MacOS and FreeBSD.
Note:
Main ground rule is for people to put phones on silent
Note:
These are the main ones to mention, I think. With Snyk as we're talking Open source we should say that whilst the CLI is open source the database/server side isn't (although it is free)
Note:
Here we'll get everyone to install Trivy, let's expect this to take a couple of minutes (~5)
trivy i ubuntu:20.04
trivy i public.ecr.aws/docker/library/ubuntu:20.04
Note:
This scan is a typical one for a base image you might be considering using. It will return a decent number of vulnerabilities and this is something we'll talk about on the next slide
trivy i --ignore-unfixed ubuntu:20.04
trivy i --ignore-unfixed public.ecr.aws/docker/library/ubuntu:20.04
Note:
This demonstrates the ignore-unfixed option which is useful in Debian and Ubuntu images to avoid showing vulnerabilities for which there is no patch. Whilst (for high security environments) these might matter, in most cases you'll just want to see things that can be fixed.
trivy image --severity HIGH,CRITICAL --vuln-type os postgres:10.6
trivy image --severity HIGH,CRITICAL --vuln-type os public.ecr.aws/docker/library/postgres:10.15
Note:
This is a good demonstration of restricting the number of vulnerabilities to be looked at by restricting to high and critical severities.
trivy image --severity HIGH,CRITICAL --vuln-type library node:10.6
trivy image --severity HIGH,CRITICAL --vuln-type library public.ecr.aws/docker/library/node:10.23-slim
Note:
We're doing this scan to show the differentiation on scanning libraries against scanning for OS vulnerabilities.
trivy repo --vuln-type library https://github.com/raesene/sycamore
Note:
This is a good example of scanning a respository, which can be done before cloning it. we'll get a good number of vulns here as this is an un-maintained rails app I wrote a while back.
git clone https://github.com/raesene/sycamore
trivy fs ./sycamore/
trivy fs ./sycamore/yarn.lock
trivy i --format json raesene/spring4shelldemo:latest
Note:
This is useful both to show the output formats, but also to show that there's a lot of additional information in the JSON output that isn't in the default table.
trivy -q i --format json raesene/spring4shelldemo:latest | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2022-22965")'
Note:
This one has a couple of pieces we should explain. Firstly we're using -q
to ensure we get pure JSON out, then we're using jq
to pick out the details of a specific vulnerability. N.B. we're not using shell format for this one as it doesn't show all the text on screen and escaping the CRLFs is tricky inside a jq expression
git clone https://github.com/AnaisUrlichs/trivy-demo.git
cd trivy-demo
trivy config bad_iac/docker/
trivy config bad_iac/docker/
Note:
Here we can demonstrate how to fix one of the issues and show how that is removed from the report.
trivy config bad_iac/kubernetes/
Note:
Here we'll want to walk through the output and some of the issues
trivy config bad_iac/kubernetes/
Note:
There's several issues in this manifest that can be fixed, so we can let people choose one (or more) to resolve.
trivy config bad_iac/terraform/
Note:
We can probably skip doing a fix on this one as we've demonstrated the process with the others
trivy sbom ubuntu:20.04
*also available as Docker Desktop Extension
Note:
What we'll do here is walk through some key elements of using Trivy by extracting sections from the Action
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
security-events: write # To upload sarif files
Note:
The key elements here are that we need rights to write the package to GHCR and we need security-events write permissions to output the results of the Trivy scan
- name: Run trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
format: sarif
output: 'trivy-results.sarif'
Note:
Here there's a couple of points to emphasise. First the use of our trivy-action then the image ref which is built up from environment variables in the workflow, so it's not static and then the output format, which we'll use in the next step
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
Note:
Here's where we upload to GitHub security picking up the sarif file from the previous step.
- name: Run Trivy in Config mode to generate SARIF
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
Note:
this is a good illustration of changing a vulnerability scan for a configuration scan, which also works for SARIF output.
Note:
We're mentioning runtime security here although we won't have time to get into it in practice (also tricky one to demonstrate) as it is relevant to production cluster security.
raesene We'll need to come up with a strategy for this, honestly not too sure of the best approach if Starboard is getting removed before kubecon
Starboard Operator.
Main Installation options
Automating human behaviour through controllers
https://www.cncf.io/wp-content/uploads/2021/07/CNCF_Operator_WhitePaper.pdf
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.15.4/deploy/static/starboard.yaml
Note:
Worth discussing here, first the variety of objects created in the manifest and also how this install method is fine for a workshop with throwaway clusters, but we'd do things differently for production.
ciskubebenchreports.aquasecurity.github.io
clustercompliancedetailreports.aquasecurity.github.io
clustercompliancereports.aquasecurity.github.io
clusterconfigauditreports.aquasecurity.github.io
configauditreports.aquasecurity.github.io
vulnerabilityreports.aquasecurity.github.io
kubectl get deployment -n starboard-system
kubectl create ns app
kubectl apply -f https://raw.githubusercontent.com/AnaisUrlichs/trivy-demo/main/manifests/kubernetes.yaml -n app
Automatically scans the containers that are used inside of your cluster.
Deployment-scoped
kubectl get vulnerabilityreports -o wide -n app
Cluster-scoped
kubectl get clustervulnerabilityreports -o wide -n app
Kubernetes configurations are checked against built-in policies
Deployment-scoped
kubectl get configauditreports -o wide -n app
Cluster-scoped
kubectl get clusterconfigauditreports -o wide -n app
Note:
https://aquasecurity.github.io/starboard/v0.15.4/configuration-auditing/built-in-policies/
Maps CIS Benchmarks against Kubernetes version
kubectl get nodes
kubectl get ciskubebenchreports -o wide
kubectl describe ciskubebenchreports/<insert report name>
Note:
One report per node, does not have access to the main nodes, only to the worker nodes.
NSA report
ClusterCompliance and ClusterComplianceDetail Report
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/main/deploy/specs/nsa-1.0.yaml
kubectl get clustercompliancereport -o wide
kubectl describe clustercompliancereport nsa
kubectl get clustercompliancedetailreport -o wide
https://github.com/armosec/kubescape
trivy config --policy ./custom-policies --namespaces user ./manifests
Repository https://github.com/AnaisUrlichs/trivy-demo
Aqua GitHub https://github.com/aquasecurity
Rory's Twitter https://twitter.com/raesene
Anais' Twitter https://twitter.com/urlichsanais