clair VS kube-bench

Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.

https://github.com/quay/clair

https://github.com/anchore/grype/

Clair. Vulnerability Static Analysis for Containers.

https://github.com/quay/clair 9.4k stars, updated 17 hours ago

It scaled well compared to a naive graph abstraction implemented outside the database, but when performance wasn't great, it REALLY wasn't great. We ended up throwing it out in later versions to try and get more consistent performance.

I've since worked on SpiceDB[1] which takes the traditional design approach for graph databases and simply treating Postgres as triple-store and that scales far better. IME, if you need a graph, you probably want to use a database optimized for graph access patterns. Most general-purpose graph databases are just bags of optimizations for common traversals.

[0]: https://github.com/quay/clair

[1]: https://github.com/authzed/spicedb

Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.

Testing the image with github.com/fullhunt/log4j-scan and https://github.com/quay/clair shows no vulnerabilities

Amazon Elastic Container Registry is a fully-managed Docker container registry. It makes it easy for developers to store and manage Docker images inside their AWS environment. ECR supports two types of image scanning. Enhanced image scanning requires an integration with Amazon Inspector. It will scan your repositories continuously. Basic image scanning will use the Common Vulnerabilities and Exposures (CVEs) database (open-source Clair) to find vulnerabilities in your images. You can trigger scans on image push or manually.

Klair: Scan your containersJust like external dependencies can contain security flaws, container images also can contain outdated programs and dependencies subject to security issues. Klair is an open-source tool that can help you find outdated dependencies and security flaws in your docker images.

AWS Elastic Container Registry has been able to support the scanning of images for vulnerabilities using the open source project Clair for quite some time now. Clair is an open source project used for the static analysis of vulnerabilities in application containers (currently including OCI and Docker). Made available by AWS directly and implemented into ECR, it is a very useful feature to minimize the risk of using endangered software - and stay compliant. The scanning for vulnerabilities should be a good standard in any Dockerized scenario as public images and their heirs can contain many security risks (Top-ten-docker-images) - which might be overlooked while developing applications that are constantly changed and improved - and new versions of images are pushed to your ECR many times a day.

I use Quay and quite like it. It's a lot more flexible to deploy than Harbor. It has a web UI and connects to LDAP or OIDC. You can also add vulnerability scanning to it as well with Clair. The one downside is that it doesn't support a pull-through cache system like Harbor does (to my knowledge), though you can explicitly mirror containers from another source.

The official repository can be found here with detailed installation instructions.

kube-bench checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. We can deploy kube-bench as a Job that runs daily and consume its report in CI/CD to pass or fail the pipeline based on the level of severity.

Kube-bench, written as a Go application, is deployable as a container. Ready-made job.yaml files make it easy to run Kube-bench inside a Kubernetes cluster or on a managed Kubernetes service, such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or OpenShift. Here's a link to Kube-Bench on Github

kube-bench - Checks whether Kubernetes is deployed securely by running CIS Kubernetes Benchmark

Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

Also, I use the security tool Kube-bench that covers vulnerabilities scanning only. The Kubebench brings an additional layer to your cluster security monitoring. There are plenty of security tools available for Kubernetes.

How does it compare to https://github.com/aquasecurity/kube-bench ?