Initial thoughts and ideas

[ckotzbauer]

Sources

• [x] Load SBOMs from Git-Repository (previously created from sbom-operator)
• [x] Cron-Trigger (like sbom-operator)
• [ ] Webhook-Trigger (e.g. called from sbom-operator)

Targets

• [x] Prometheus-Metrics (⚠️ needs more specification)
• [ ] Messaging (How to avoid sending the same messages for found CVEs on each scan?)
• [ ] Report generation
  • [ ] READMEs
  • [ ] Web-Report served from vulnerability-operator itself or uploaded to a destination
  • [x] JSON-Report served from vulnerability-operator itself
• [x] PolicyReport-CRDs (maybe there's a way to include this in Kyverno's Policy-Reporter)

Scanning

• [x] Integrate grype-golang (https://github.com/anchore/grype/blob/v0.32.0/cmd/root.go)

CVE-Filtering-Options

• [x] Only fixed
• [x] Severity-Threshold
• [x] Ignorelist

Build / Security

• [x] GoReleaser
• [x] Release-Pipeline from https://github.com/ckotzbauer/actions-toolkit/blob/main/.github/workflows/toolkit-release-goreleaser.yml
• [x] OIDC-signed artifacts and images via cosign
• [x] SBOMs
• [x] SLSA provenance
• [x] Docker-Image from scratch

Deployment

• [x] Plain Kubernetes-YAMLs
• [x] Helm-Chart
• [x] Built-in (but optional) ServiceMonitor for Prometheus-Operator CRD

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label with /remove-lifecycle stale or comment or this will be closed in 5 days.