Kubescape is an open-source platform that provides risk analysis and deepest security for DevOps consulting service Kubernetes. Kubespace with Code Repository & Container Image Registry Scanning for Kubernetes helps vulnerability scanning be easier. ARMO, the developer of Kubescape, added code repository scanning and container image registry scanning for the vulnerability scanning of Kubernetes.
Code repository scanning for Kubernetes
Code repository scanning analyzes the code to find the vulnerabilities and misconfiguration of the code. A security threat is a vulnerability that can happen from the beginning. So code repository scanning is done to scan YAML files and Helm charts from the early stage of the Software Development Life Cycle. Let’s go through the code repository scanning for Kubernetes. For that prerequisites are:
- Kubescape CLI installed
- GitHub account
- Helm chart or YAML file
You can scan your specific directory with Helm chart or YAML file using the command Kubescape scan. To see the result in the Kubescape UI you have to use the flag –account with the Kubescape ID.
kubescape scan https://github.com/AdminTurnedDevOps/PearsonCourses/tree/main/Helm-Charts-For-Kubernetes/Segment3/nginxupdate –submit –account your_kubescape_account_id
An example of a scan result is below:
You will get a detailed list of:
- Severity score and its name
- Number of failed resources
- Number of excluded resources
- All resources scan
- Percentage of risk score
After viewing the result, the next step is logging into Kubernetes UI. Then click REPOSITORIES SCAN on the left pane.
In the Repositories Scan, select the YAML file for that you want to see the result.
Now You can see the list of vulnerabilities and IDs associated with it. Scan Report for the file deployment.yaml file is given below
These are the steps of code repository scanning for vulnerabilities in Kubernetes.
Container image registry scanning
With container image registry scanning, container images are scanned directly from the registry before running or being sent to run in the cluster. The registry includes the Elastic Container Registry, Google Container Registry, Quay, and others. Container image registry scanning will detect the vulnerabilities in the early stage of development, which will prevent the vulnerabilities from reaching the deployment and production environment. Also, Kubescape scans new vulnerabilities in CI/CD pipelines after each container image creation or deployment of a container cluster. The steps of container image registry scanning are as follows.
Log into Kubernetes ID and click on REGISTRY SCANNING. Total severities can view here.
Next, you can see the vulnerabilities of each container image in a list of critical, high, medium, low, negligible, and unknown.
The end-to-end open source Kubescape made it easy for vulnerability scanning of Kubernetes with the two new scanning capabilities, code repository scanning, and container image registry scanning. Kubescape is the only single-pane-of-glass for DevOps consulting service Kubernetes to view security compliance, risk scoring, misconfigurations, image scanning, and RBAC. Both vulnerability scanning capabilities done in the early stages of development is the main benefit of these features. Kubespace with Code Repository & Container Image Registry Scanning for Kubernetes is an apt choice for security.
If you are a Kubernetes user and need more security from development to production, Metclouds technology is here for consulting.