vulnerability-operator
vulnerability-operator copied to clipboard
Initial thoughts and ideas
Sources
- [x] Load SBOMs from Git-Repository (previously created from
sbom-operator
) - [x] Cron-Trigger (like
sbom-operator
) - [ ] Webhook-Trigger (e.g. called from
sbom-operator
)
Targets
- [x] Prometheus-Metrics (⚠️ needs more specification)
- [ ] Messaging (How to avoid sending the same messages for found CVEs on each scan?)
- [ ] Report generation
- [ ] READMEs
- [ ] Web-Report served from vulnerability-operator itself or uploaded to a destination
- [x] JSON-Report served from vulnerability-operator itself
- [x] PolicyReport-CRDs (maybe there's a way to include this in Kyverno's Policy-Reporter)
Scanning
- [x] Integrate grype-golang (https://github.com/anchore/grype/blob/v0.32.0/cmd/root.go)
CVE-Filtering-Options
- [x] Only fixed
- [x] Severity-Threshold
- [x] Ignorelist
Build / Security
- [x] GoReleaser
- [x] Release-Pipeline from https://github.com/ckotzbauer/actions-toolkit/blob/main/.github/workflows/toolkit-release-goreleaser.yml
- [x] OIDC-signed artifacts and images via cosign
- [x] SBOMs
- [x] SLSA provenance
- [x] Docker-Image from scratch
Deployment
- [x] Plain Kubernetes-YAMLs
- [x] Helm-Chart
- [x] Built-in (but optional) ServiceMonitor for Prometheus-Operator CRD
This issue is stale because it has been open 90 days with no activity. Remove stale label with /remove-lifecycle stale
or comment or this will be closed in 5 days.