Comments (8)
Fun fact, I believe the original Kubeval author now actually works at Snyk :) I'm not very familiar with their free tier. How would you suggest configuring this though - failing a build if there are vulnerabilities? Running it periodically on master? Running it periodically on all published images? 🤔 I can imagine it would be quite useful to run this on the versions you are actually using, but I'd love your advice on its usage in the toolchain.
from kubeconform.
Tagged v0.6.5 btw, hope it fixes the issues.
from kubeconform.
Updated to the latest Go version supported by goreleaser (1.22.1), release coming up. Could you point me to the issues you're referencing?
from kubeconform.
Sure, I have a view via AWS Inspector since I'm putting my images in ECR and there's a lot of good summary info there that I can't provide you a link to. But I can send you some of the upstream links - they're harder to read but hopefully can provide you with some context.
CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc and 1 more
GHSA-m425-mq94-257g - google.golang.org/grpc
CVE-2022-41723 - golang.org/x/net
CVE-2023-39325 - golang.org/x/net, golang.org/x/net
Summing up the remediation steps, this should clear these:
- Update golang.org/x/net to 0.17.0
- Update google.golang.org/grpc to 1.58.3
These are all the HIGH findings associated with golang that I see. Also, I am modifying your kubeconform image a tiny bit, but I don't think that would affect these findings.
Let me know if there's anything else I can do to help.
from kubeconform.
Also, let me put in a plug for Snyk here, they have a limited-use free license and it's a fantastic tool for stuff like this. Here's a sample finding for this use case:
from kubeconform.
I haven't scanned containers in a pipeline using Snyk, but it's apparently doable. Now you have me thinking about doing this for my stuff...
from kubeconform.
I didn't really answer your question... I am currently only security scanning container images once they are pushed to a repo. In practice this is fine, we have tooling that surfaces vulnerabilities to us and we respond within an SLA based on severity. Scanning in the pipeline would catch things sooner, which is why I'm considering it now, but honestly what we have is working Good Enough.
The limitation you'll run into with Snyk is how many times you can run a type of test when using the free tier. Looks like it's 100 container tests per month, so maybe that's enough for you?
from kubeconform.
Also, TIL kubeval was started by Gareth Rushgrove! I had no idea.
from kubeconform.
Related Issues (20)
- Support Validation rules
- Private repo support?
- New release with latest Go version? HOT 2
- Missing file is never reached in openapi2jsonschema.py HOT 2
- Failing on ConfigMap empty key values? HOT 1
- GitHub Action that downloads, installs, and adds CLI tool to PATH HOT 3
- Schema for v1.26.10 is missing HOT 2
- Bug: Junit output shows top-level error count, but not error-count within a test suite HOT 1
- Schema Recognition issue in kubeconform v0.6.3 and above HOT 4
- Question: Can kubeconform report deprecated APIs? HOT 2
- Enhance schema-location to support HTTP basic authentication HOT 1
- Unable to pipe YAMLs to the kubeconform container HOT 1
- Feature request: Support skipping kind/name HOT 1
- [Bug] -skip uses first element in comma separated list only HOT 2
- Kubeconform errors out with DestinationRule, cannot find ':'
- Kubeconform does not report invalid metadata.name HOT 1
- Better/less verbose error formatting? HOT 2
- Could not find schema for HTTPRoute,GCPGatewayPolicy and HealthCheckPolicy HOT 2
- Dockerfile has deprecated `MAINTAINER` label HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeconform.