Skip to content

Commit

Permalink
fix: sbom report support (#1346)
Browse files Browse the repository at this point in the history 
* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: sbom report support

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
@chen-keinan
chen-keinan authored Jul 10, 2023
1 parent 4c8f373 commit 4ff5d8a
Show file tree
Hide file tree
Showing 57 changed files with 2,482 additions and 201 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ The Trivy operator automatically updates security reports in response to workloa
- CIS Kubernetes Benchmark v1.23 cybersecurity technical report is produced.
- Kubernetes pss-baseline, Pod Security Standards
- Kubernetes pss-restricted, Pod Security Standards
- SBOM (software bill of materials genertations) for Kubernetes workloads.

<p align="center">
<img src="docs/images/trivy-operator-overview.png" alt="Trivy-operator Overview"/>
Expand Down
1 change: 1 addition & 0 deletions deploy/helm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ Keeps security report resources updated
| operator.privateRegistryScanSecretsNames | object | `{}` | privateRegistryScanSecretsNames is map of namespace:secrets, secrets are comma seperated which can be used to authenticate in private registries in case if there no imagePullSecrets provided example : {"mynamespace":"mySecrets,anotherSecret"} |
| operator.rbacAssessmentScannerEnabled | bool | `true` | rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner |
| operator.replicas | int | `1` | replicas the number of replicas of the operator's pod |
| operator.sbomGenerationEnabled | bool | `false` | the flag to enable sbom generation |
| operator.scanJobTTL | string | `""` | scanJobTTL the set automatic cleanup time after the job is completed |
| operator.scanJobTimeout | string | `"5m"` | scanJobTimeout the length of time to wait before giving up on a scan job |
| operator.scanJobsConcurrentLimit | int | `10` | scanJobsConcurrentLimit the maximum number of scan jobs create by the operator |
Expand Down
328 changes: 328 additions & 0 deletions deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,328 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
creationTimestamp: null
name: sbomreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: SbomReport
listKind: SbomReportList
plural: sbomreports
shortNames:
- sbom
- sboms
singular: sbomreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the sbom generation scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of dependencies in bom
jsonPath: .report.summary.componentsCount
name: Components
priority: 1
type: integer
- description: The the number of components in bom
jsonPath: .report.summary.dependenciesCount
name: Dependencies
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: SbomReport summarizes components and dependencies found in container
image
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
report:
description: Report is the actual sbom report data.
properties:
artifact:
description: Artifact represents a standalone, executable package
of software that includes everything needed to run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
components:
description: Bom isartifact bill of materials.
properties:
bomFormat:
type: string
components:
items:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
type: array
dependencies:
items:
properties:
dependsOn:
items:
type: string
type: array
ref:
type: string
type: object
type: array
metadata:
properties:
component:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
timestamp:
type: string
tools:
items:
properties:
name:
type: string
vendor:
type: string
version:
type: string
type: object
type: array
type: object
serialNumber:
type: string
specVersion:
type: integer
version:
type: integer
required:
- bomFormat
- specVersion
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: Summary is a summary of sbom report.
properties:
componentsCount:
description: ComponentsCount is the number of components in bom.
minimum: 0
type: integer
dependenciesCount:
description: DependenciesCount is the number of dependencies in
bom.
minimum: 0
type: integer
required:
- componentsCount
- dependenciesCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
required:
- artifact
- components
- scanner
- summary
- updateTimestamp
type: object
required:
- report
type: object
served: true
storage: true
subresources: {}
12 changes: 12 additions & 0 deletions deploy/helm/generated/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- sbomreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
Expand Down
2 changes: 2 additions & 0 deletions deploy/helm/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ spec:
value: ":9090"
- name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
- name: OPERATOR_SBOM_GENERATION_ENABLED
value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
value: {{ .Values.operator.vulnerabilityScannerScanOnlyCurrentRevisions | quote }}
- name: OPERATOR_SCANNER_REPORT_TTL
Expand Down
2 changes: 2 additions & 0 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ operator:

# -- the flag to enable vulnerability scanner
vulnerabilityScannerEnabled: true
# -- the flag to enable sbom generation
sbomGenerationEnabled: false
# -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
scannerReportTTL: "24h"
# -- configAuditScannerEnabled the flag to enable configuration audit scanner
Expand Down
Loading

0 comments on commit 4ff5d8a

Please sign in to comment.