Vulnerability-exporter - A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Overview

Kubernetes Vulnerability Exporter

A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Abstract

! This project is under development.

Vulnerability exporter scan and export vulnerabilities of images and nodes in kubernetes cluster.

Inspirated by kube-trivy-expoter.

Image Scan

Image Scan scans for vulnerabilities in container images of workloads deployed in kubernetes.

trivy_image_vulnerabilities{namespace="argocd", fixedVersion="0.3.3", image="ghcr.io/dexidp/dex:v2.27.0", installedVersion="v0.3.2",layer="sha256:d8d076827e5aadd843d9da261228639f575be6e840b463e99381e6d861be90fc", pkgName="golang.org/x/text", severity="HIGH", vulnerabilityId="CVE-2020-14040", workloadKind="Deployment", workloadName="argocd-dex-server"}

View metrics by using Grafana

image_scan_metrics

Node Scan

Image Scan scans vulnerabilities of the nodes of kuberntes cluster.

trivy_node_vulnerabilities{fixedVersion="0.12.3", installedVersion="0.12.2",nodeName="master-node", pkgName="Flask", severity="HIGH" vulnerabilityId="CVE-2018-1000656"}

View metrics by using Grafana

node_scan_metrics

Installation

$ kubectl apply -k deploy
You might also like...
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Table of contents 1. About 2. Getting started 2.1. Requirements 2.2. Installation 3. Usage 3.1. CLI Usage 3.2. Using Docker 3.3. Older versions 3.4. U

πŸ“‘  Prometheus exporter that exposes metrics from SpaceX Starlink Dish
πŸ“‘ Prometheus exporter that exposes metrics from SpaceX Starlink Dish

Starlink Prometheus Exporter A Starlink exporter for Prometheus. Not affiliated with or acting on behalf of Starlink(β„’) πŸ“‘ Starlink Monitoring System

Prometheus exporter for Chia node metrics

chia_exporter Prometheus metric collector for Chia nodes, using the local RPC API Building and Running With the Go compiler tools installed: go build

NVIDIA GPU metrics exporter for Prometheus leveraging DCGM

DCGM-Exporter This repository contains the DCGM-Exporter project. It exposes GPU metrics exporter for Prometheus leveraging NVIDIA DCGM. Documentation

Prometheus exporter for Amazon Elastic Container Service (ECS)

ecs_exporter 🚧 🚧 🚧 This repo is still work in progress and is subject to change. This repo contains a Prometheus exporter for Amazon Elastic Contai

Prometheus exporter for DeadMansSnitch

DeadMansSnitch Exporter Prometheus exporter for DeadMansSnitch information (snitches) Configuration Usage: deadmanssnitch-exporter [OPTIONS] Applic

A prometheus exporter for monitoring FIO nodeos nodes.
A prometheus exporter for monitoring FIO nodeos nodes.

fio-prometheus-exporter This is a simple prometheus exporter for FIO nodeos nodes. It can connect to multiple nodes to display a few critical statisti

A Prometheus exporter, written in Golang, for Magento 2

Magento 2 Prometheus Exporter A Prometheus exporter, written in Golang, for Magento 2. Philosophy It might be abnormal to start with the "philosophy"

Prometheus exporter for podman

Prometheus exporter for podman Exports the following metrics for each running container CPU Usage Memory Usage Netowrk Usage Block Usage Output Exampl

Comments
  • Bug: Cannot scan images in cluster

    Bug: Cannot scan images in cluster

    While testing your promising project, I got multiple issues with image scanning manifesting themselves with log a message as follows:

    W0125 13:00:47.694272       1 image.go:112] failed to scan image(quay.io/prometheus/alertmanager:v0.23.0): failed to execute trivy image: exit status 1: 2022-01-25T13:00:47.692Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
    

    This is happening for all containers.

    The application was installed using manifests in deploy directory but in a different namespace. All namespace-related settings were amended.

    I can provide more info if needed, just tell me what you need :)

    opened by paulfantom 4
  • Not working with Bottlerocket OS / containerd runtime

    Not working with Bottlerocket OS / containerd runtime

    Hi,

    i have tested it on AWS EKS and Bottlerocket OS. And it is not working:

    I0203 07:15:50.989758 1 root.go:80] Start vulnerability-exporter β”‚ β”‚ W0203 07:16:23.033610 1 image.go:124] failed to scan image(602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): failed to execute trivy image: exit status 1: 2022-02-03T07:16:22.986Z FATAL β”‚ β”‚ * unable to inspect the image (602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? β”‚ β”‚ * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory

    Bottlerocket use containerd and not docker runtime.

    Versions:

    EKS: v1.21.5-eks-bc4871b AMI: bottlerocket-aws-k8s-1.21-x86_64-v1.5.2-1602f3a8 Image: ghcr.io/hnts/vulnerability-exporter:v0.1.1

    opened by albertschwarzkopf 2
  • Trivy scanner detects critical vulnerability

    Trivy scanner detects critical vulnerability

    Please fix: github.com/containerd/containerd

    ghcr.io/hnts/[email protected]:0f5de554a9fd29f5293206bbdf4a755d7bdfcb2936e7afc3ca703de2f9426037 (alpine 3.15.0)
    ================================================================================================================================================
    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    
    
    bin/vulnerability-exporter (gobinary)
    =====================================
    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    
    
    usr/local/bin/trivy (gobinary)
    ==============================
    Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
    
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    |               LIBRARY                | VULNERABILITY ID | SEVERITY |          INSTALLED VERSION           | FIXED VERSION |                 TITLE                 |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    | github.com/containerd/containerd     | CVE-2021-43816   | CRITICAL | v1.5.8                               | 1.5.9         | containerd: Unprivileged pod          |
    |                                      |                  |          |                                      |               | may bind mount any privileged         |
    |                                      |                  |          |                                      |               | regular file on disk...               |
    |                                      |                  |          |                                      |               | -->avd.aquasec.com/nvd/cve-2021-43816 |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    | github.com/opencontainers/image-spec | GMS-2021-101     | UNKNOWN  | v1.0.2-0.20190823105129-775207bd45b6 | 1.0.2         | Clarify `mediaType` handling          |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    
    opened by MrRedHead 0
Releases(v0.1.1)
Owner
Software Engineer
null
Openvpn exporter - Prometheus OpenVPN exporter For golang

Prometheus OpenVPN exporter Please note: This repository is currently unmaintain

Serialt 0 Jan 2, 2022
Json-log-exporter - A Nginx log parser exporter for prometheus metrics

json-log-exporter A Nginx log parser exporter for prometheus metrics. Installati

horan 0 Jan 5, 2022
Amplitude-exporter - Amplitude charts to prometheus exporter PoC

Amplitude exporter Amplitude charts to prometheus exporter PoC. Work in progress

Andrey S. Kolesnichenko 1 May 26, 2022
Netstat exporter - Prometheus exporter for exposing reserved ports and it's mapped process

Netstat exporter Prometheus exporter for exposing reserved ports and it's mapped

Amir Hamzah 0 Feb 3, 2022
A standalone exporter for vulnerability reports and other CRs created by Starboard.

starboard-exporter Exposes Prometheus metrics from Starboard's VulnerabilityReport custom resources (CRs). Metrics This exporter exposes two types of

Giant Swarm 41 Sep 14, 2022
Kepler (Kubernetes-based Efficient Power Level Exporter) uses eBPF to probe energy related system stats and exports as Prometheus metrics

kepler Kepler (Kubernetes Efficient Power Level Exporter) uses eBPF to probe energy related system stats and exports as Prometheus metrics Architectur

Sustainable Computing 156 Sep 27, 2022
Export Prometheus metrics from journald events using Prometheus Go client library

journald parser and Prometheus exporter Export Prometheus metrics from journald events using Prometheus Go client library. For demonstration purposes,

Mike Sgarbossa 0 Jan 3, 2022
Nvidia GPU exporter for prometheus using nvidia-smi binary

nvidia_gpu_exporter Nvidia GPU exporter for prometheus, using nvidia-smi binary to gather metrics. Introduction There are many Nvidia GPU exporters ou

Utku Γ–zdemir 148 Sep 23, 2022
Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using HPE Smart Storage Administrator tool

hpessa-exporter Overview Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using

Shachar Sharon 0 Jan 17, 2022
πŸ”­ Kubernetes out-cluster vulnerability scanner

Kubnerable Kubnerable is an out-cluster vulnerability scanner tool for Kubernetes resources. It comes with a predefined vulnerability database (vulner

Javi LΓ³pez-Nieto 18 Mar 26, 2022