A standalone exporter for vulnerability reports and other CRs created by Starboard.

Overview

CircleCI

starboard-exporter

Exposes Prometheus metrics from Starboard's VulnerabilityReport custom resources (CRs).

Metrics

This exporter exposes two types of metrics:

Summary

A summary series exposes the count of CVEs of each severity reported in a given VulnerabilityReport. For example:

starboard_exporter_vulnerabilityreport_image_vulnerability_severity_count{
    image_digest="",
    image_namespace="demo",
    image_repository="giantswarm/starboard-operator",
    image_tag="0.11.0",
    report_name="replicaset-starboard-app-6894945788-starboard-app",
    severity="MEDIUM"
    } 4

This indicates that the giantswarm/starboard-operator image in the demo namespace contains 4 medium-severity vulnerabilities.

Detail / Vulnerability

A detail or vulnerability series exposes fields from each instance of an Aqua Vulnerability. The value of the metric is the Score for the vulnerability. For example:

starboard_exporter_vulnerabilityreport_image_vulnerability{
    fixed_resource_version="1.1.1l-r0",
    image_digest="",
    image_namespace="demo",
    image_repository="giantswarm/starboard-operator",
    image_tag="0.11.0",
    installed_resource_version="1.1.1k-r0",
    report_name="replicaset-starboard-app-6894945788-starboard-app",
    severity="HIGH",
    vulnerability_id="CVE-2021-3712",
    vulnerability_link="https://avd.aquasec.com/nvd/cve-2021-3712",
    vulnerability_title="openssl: Read buffer overruns processing ASN.1 strings",vulnerable_resource_name="libssl1.1"
    } 7.4

This indicates that the vulnerability with the id CVE-2021-3712 was found in the giantswarm/starboard-operator image in the demo namespace, and it has a CVSS 3.x score of 7.4.

An additional series would be exposed for every combination of those labels.

A Note on Cardinality

For some use cases, it is helpful to export additional fields from VulnerabilityReport CRs. However, because many fields contain unbounded arbitrary data, including them in Prometheus metrics can lead to extremely high cardinality. This can drastically impact Prometheus performance. For this reason, we only expose summary data by default and allow users to opt-in to higher-cardinality fields.

Customization

Summary metrics of the format described above are always enabled.

To enable an additional detail series per Vulnerability, use the --target-labels flag to specify which labels should be exposed. For example:

# Expose only select image and CVE fields.
--target-labels=image_namespace,image_repository,image_tag,vulnerability_id

# Run with (almost) all fields exposed as labels, if you're feeling really wild.
--target-labels=all

Target labels can also be set via Helm values:

exporter:
  vulnerabilityReports:
    targetLabels:
      - image_namespace
      - image_repository
      - image_tag
      - vulnerability_id
      - ...
Comments
  • Feature: add other reports

    Feature: add other reports

    Hi,

    is it possible to implement the other starboard reports:

    • [ ] kubehunterreports
    • [x] ciskubebenchreports https://github.com/giantswarm/starboard-exporter/pull/118
    • [x] configauditreports https://github.com/giantswarm/starboard-exporter/pull/72
    opened by albertschwarzkopf 11
  • Old metrics still visible

    Old metrics still visible

    I'm using the starboard feature described here https://github.com/giantswarm/starboard-exporter#one-vulnerabilityreport-per-deployment, and even though I don't see old reports anymore with kubectl CLI:

    kubectl get vulnerabilityreport -n gradle-enterprise
    NAME                                                      REPOSITORY                                               TAG        SCANNER   AGE
    replicaset-5c8b5d8449                                     gradleenterprise/gradle-enterprise-operator-image        2021.4.1   Trivy     82m
    replicaset-5cf45f8fd7                                     gradleenterprise/gradle-build-cache-node-image           2021.4.1   Trivy     82m
    replicaset-764c4bd49c                                     gradleenterprise/gradle-test-distribution-broker-image   2021.4.1   Trivy     82m
    replicaset-gradle-database-5b89d7b595-database            gradleenterprise/gradle-database-image                   2021.4.1   Trivy     82m
    replicaset-gradle-database-5b89d7b595-database-tasks      gradleenterprise/gradle-database-image                   2021.4.1   Trivy     82m
    replicaset-gradle-metrics-64c7565799-gradle-metrics       gradleenterprise/gradle-metrics-image                    2021.4.1   Trivy     82m
    statefulset-gradle-enterprise-app-gradle-enterprise-app   gradleenterprise/gradle-enterprise-app-image             2021.4.1   Trivy     148m
    statefulset-gradle-keycloak-gradle-keycloak               gradleenterprise/gradle-keycloak-image                   2021.4.1   Trivy     144m
    statefulset-gradle-proxy-gradle-proxy                     gradleenterprise/gradle-proxy-image                      2021.4.1   Trivy     150m
    

    If I go to the metrics endpoint on starboard exporter, I still see metrics like (notice the image tag version):

    starboard_exporter_vulnerabilityreport_image_vulnerability{image_namespace="gradle-enterprise",image_repository="gradleenterprise/gradle-keycloak-image",image_tag="2021.4",report_name="statefulset-gradle-keycloak-gradle-keycloak",vulnerability_id="CVE-2021-30129"} 6.5
    

    I guess this is because the report name is not unique in this case, like with replica sets?

    opened by komljen 11
  • feat: add metrics for configauditreport summary

    feat: add metrics for configauditreport summary

    This PR add support for configauditreport custom resource metrics

    Should I move the vulnerabityreport_*.go to its own package vulnerabilityreport ?

    I plan to do the same with the ciskubebenchreport, so any feedback is welcome!

    opened by mycodeself 7
  • Add cis benchmarks

    Add cis benchmarks

    Checklist

    • [x] Update changelog in CHANGELOG.md.
    • [x] Make sure values.yaml and values.schema.json are valid.
    • [ ] (Giant Swarm) If creating a release, bump the version and appVersion in Chart.yaml.
    opened by fhielpos 6
  • Helm release v0.3.2 seems to be broken

    Helm release v0.3.2 seems to be broken

    Sorry for crossposting. I opened this issue at the giantswarm-catalog repository but I do not know if this was the correct place: https://github.com/giantswarm/giantswarm-catalog/issues/22

    It seems to me that the Helm release v0.3.2 is broken because the values for the project's branch name and the commit hash are missing in the bundled release file.

    opened by elchenberg 5
  • Enhancement only store metrics from the latest vulnerabilityreports

    Enhancement only store metrics from the latest vulnerabilityreports

    Today when we gather metrics it generates data from all vulnerabilityreports and there is a vulnerabilityreport per replicaset. This makes it looks like we have much more CVE:s in our cluster then we actually do.

    Personally I would have loved to see this solved in starboard following discussions like https://github.com/aquasecurity/starboard/discussions/668 or https://github.com/aquasecurity/starboard/issues/17. But I don't think it's reasonable to get this solved upstream short term.

    Would you be interested having a feature that only checks for the latest vulnerabilityreport?

    I have given this some thought and the first problem that I see is what happens if a user performs a rollback of a deployment? In that case there still would be a new rs and i assume the latest vulnerabilityreport points to that rs and not the old actually active one. This could of course become a problem. I'm not 100% it actually works like this but it's something we would have to verify.

    What do you think?

    opened by NissesSenap 5
  • feat: Add starboard-exporter helm chart to ArtifactHub

    feat: Add starboard-exporter helm chart to ArtifactHub

    hi GiantSwarm,

    would be dope to have the starboard-exporter in ArtifactHub, so more people could find this awesome project!

    image

    https://artifacthub.io/packages/search?ts_query_web=starboard-exporter&sort=relevance&page=1

    opened by dirien 4
  • Helm, remove unused config and add if statements to be able to disable a few resources

    Helm, remove unused config and add if statements to be able to disable a few resources

    There a number of clusterroles that isn't needed for this controller so I removed them. I couldn't find any kubebuilder definition of the rbac rules so I assume they are manually created.

    I also added if statments so you can disable PSP since it will be deprecated in 1.25 and there are already many other options to PSP. You can also disable networkpolicy now, It should definitely be on by default by sadly there are CNI:s that don't support networkpolicys.

    Removed the configmap that wasn't used and gave an option to disable the usage for pull secret.

    Checklist

    • [X] Update changelog in CHANGELOG.md.
    opened by NissesSenap 4
  • ARM images

    ARM images

    Hi, I like your exporter. Could you build and provide images for ARM too, please?

    Or enable affinities via values.yaml?

    E.g:

        spec:
          affinity:
            nodeAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/os
                        operator: In
                        values:
                          - linux
                      - key: kubernetes.io/arch
                        operator: In
                        values:
                          - amd64
    

    We have clusters with arm-based worker nodes and amd-based worker nodes.

    opened by albertschwarzkopf 3
  • Bump golang from 1.18.3 to 1.19.0

    Bump golang from 1.18.3 to 1.19.0

    Bumps golang from 1.18.3 to 1.19.0.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies docker 
    opened by dependabot[bot] 2
  • Enable 'starboard_exporter_vulnerabilityreport_image_vulnerability'

    Enable 'starboard_exporter_vulnerabilityreport_image_vulnerability'

    By default I do not see this metric (starboard_exporter_vulnerabilityreport_image_vulnerability) exposed. Is there a way to enable it?

    I only have these two:

    starboard_exporter_configauditreport_resource_checks_summary_count starboard_exporter_vulnerabilityreport_image_vulnerability_severity_count

    opened by SadFaceSmith 2
  • Add improvements to Chart.yaml

    Add improvements to Chart.yaml

    Checklist

    • [ ] Update changelog in CHANGELOG.md.
    • [ ] Make sure values.yaml and values.schema.json are valid.
    • [ ] (Giant Swarm) If creating a release, bump the version and appVersion in Chart.yaml.
    opened by fhielpos 0
Releases(v0.6.0)
Owner
Giant Swarm
An open source Kubernetes-based Cloud Native Management Platform
Giant Swarm
A prometheus exporter which reports metrics about your Gmail inbox.

prometheus-gmail-exporter-go A prometheus exporter for gmail. Heavily inspired by https://github.com/jamesread/prometheus-gmail-exporter, but written

Richard Towers 2 Apr 9, 2022
expose controller, when deployment created service and ingress will be created

expose-controller expose controller, when deployment created service and ingress will be created How to test git clone repository cd expose-controller

Kanhaiya Lal Yadav 0 Dec 23, 2021
Netstat exporter - Prometheus exporter for exposing reserved ports and it's mapped process

Netstat exporter Prometheus exporter for exposing reserved ports and it's mapped

Amir Hamzah 0 Feb 3, 2022
Openvpn exporter - Prometheus OpenVPN exporter For golang

Prometheus OpenVPN exporter Please note: This repository is currently unmaintain

Serialt 0 Jan 2, 2022
Json-log-exporter - A Nginx log parser exporter for prometheus metrics

json-log-exporter A Nginx log parser exporter for prometheus metrics. Installati

horan 0 Jan 5, 2022
Amplitude-exporter - Amplitude charts to prometheus exporter PoC

Amplitude exporter Amplitude charts to prometheus exporter PoC. Work in progress

Andrey S. Kolesnichenko 1 May 26, 2022
Github billing exporter - Billing exporter for GitHub organizations

GitHub billing exporter Forked From: https://github.com/borisputerka/github_bill

Simon Schneider 3 Aug 31, 2022
Dominik Robert 0 Jan 4, 2022
ginko-volkswagen detects when your tests are being run in a CI server, and reports them as passing

detects when your ginkgo-based tests are being run in a CI server, and reports them as passing

Christoph Blecker 7 Dec 4, 2021
System agent. Reports server status via HTTP API

sys-agent System agent is a simple service reporting server status via HTTP GET request. usage $ sys-agent -l :8080 -v "root:/" -v "data:/mnt/data" Ap

Umputun 40 Sep 27, 2022
MenuStart plugin to nwg-panel, also capable of working standalone

nwg-menu This code provides the MenuStart plugin to nwg-panel. It also may be used standalone, however, with a little help from command line arguments

Piotr Miller 27 Sep 9, 2022
Run the mysql container standalone

Run the mysql container standalone docker container run -v "//c/Users/javier/Goo

null 0 Dec 21, 2021
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Aqua Security 14k Sep 27, 2022
Vulnerability Static Analysis for Containers

Clair Note: The main branch may be in an unstable or even broken state during development. Please use releases instead of the main branch in order to

QUAY 9k Sep 20, 2022
🔭 Kubernetes out-cluster vulnerability scanner

Kubnerable Kubnerable is an out-cluster vulnerability scanner tool for Kubernetes resources. It comes with a predefined vulnerability database (vulner

Javi López-Nieto 18 Mar 26, 2022
Grafana Unauthorized arbitrary file reading vulnerability

CVE-2021-43798 Grafana Unauthorized arbitrary file reading vulnerability 8.3.1 (2021-12-07) Security: Fixes CVE-2021-43798 . For more information, see

Jas502n 284 Sep 25, 2022
Dockerized Go app for testing the CVE-2021-44228 vulnerability

docker-log4shell Simple Go app / Docker image for playing with the CVE-2021-44228 vulnerability. Hosts a simple file server and an ldap server that pr

Urho Laukkarinen 0 Dec 12, 2021
Traefik-redirect-operator is created to substitute manual effort of creating an ingress and service type External.

Overview Traefik Redirect Operator is used to help creating a combination of Ingress of Traefik controller along with Service's ExternalName type. The

Tanat Lokejaroenlarb 3 Sep 22, 2021