Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Umbrella] Artifact Vulnerability Scanning and Triage Policy #3

Open
11 of 17 tasks
PushkarJ opened this issue Jul 29, 2021 · 24 comments
Open
11 of 17 tasks

[Umbrella] Artifact Vulnerability Scanning and Triage Policy #3

PushkarJ opened this issue Jul 29, 2021 · 24 comments
Assignees
@PushkarJ
Labels
area/dependency Issues or PRs related to dependency changes committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/feature Categorizes issue or PR as related to a new feature. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
SIG Auth Old sig-security-tracker

Comments

@PushkarJ
Copy link
Member

PushkarJ commented Jul 29, 2021
edited

Goal: Implement automated scanning capabilities that are tool agnostic for identifying vulnerabilities in Kubernetes related artifacts, followed by a documented private triage process to resolve the identified vulnerability, with a programmable way for Kubernetes users to consume this vulnerability information.

Background

Over the years, multiple different community members in Security Response Committee (formerly PSC), SIG Release, Architecture, Security, Auth have contributed to several standalone efforts related to vulnerability management for https://github.com/kubernetes/kubernetes. We have made tremendous progress but there are still some opportunities to improve :-)

Scope

This issue is created to act as a single place to find current state of the work, in progress and planned work that fall in the overall theme of vulnerability management of Kubernetes artifacts. In scope artifacts include but are not limited to build time dependencies and container images. Adding any missing issues or related work as a comment is encouraged :-)

Artifact Vulnerability Scanning

Build time Dependencies

Container Images

Ongoing Maintenance

Triage Policy Definition and Implementation

Related Issues and PRs

/sig security release architecture auth
/area config testing code-organization dependency release-eng release-eng/security
/committee product-security
/kind feature
@k8s-ci-robot
Copy link
Contributor

@PushkarJ: The label(s) area/config, area/testing, area/release-eng, area/release-eng/security cannot be applied, because the repository doesn't have them.

In response to this:

Goal: Implement automated scanning capabilities that are tool agnostic for identifying vulnerabilities in Kubernetes related artifacts, followed by a documented private triage process to resolve the identified vulnerability, with a programmable way for Kubernetes users to consume this vulnerability information.

Background

Over the years, multiple different community members in Security Response Committee (formerly PSC), SIG Release, Architecture, Security, Auth have contributed to several standalone efforts related to vulnerability management for github.com/kubernetes/kubernetes. We have made tremendous progress but there are still some opportunities to improve :-)

Scope

This issue is created to act as a single place to find current state of the work, in progress and planned work that fall in the overall theme of vulnerability management of Kubernetes artifacts. In scope artifacts include but are not limited to build time dependencies and container images. Adding any missing issues or related work as a comment is encouraged :-)

Artifact Vulnerability Scanning

Build time Dependencies

Container Images

  • Identify a list of container images managed by github.com/kubernetes/release
  • Explore and identify scanners that can detect vulnerabilities in distroless++ images
  • Explore using SBOM to programmatically get a list of images in each kubernetes release (Generate the first SBOM protoype from the Kubernetes release process release#2095)
  • Implement automated scanning with prow and test-grid for k/k HEAD
  • Ensure scan fails when a vulnerability is found

Triage Policy Definition and Implementation

Related Issues and PRs

/sig security release architecture auth
/area config testing code-organization dependency release-eng release-eng/security
/committee product-security
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@PushkarJ
Copy link
Member Author

cc @kubernetes/sig-security-leads / @tabbysable / @IanColdwater , @dims , @navidshaikh , @puerco , @justaugustus

@PushkarJ
Copy link
Member Author

/assign @PushkarJ

@puerco
Copy link
Member

puerco commented Jul 29, 2021

In addition to the SBOM item, you can find the images we produce in the SBOM to close this one:

Identify a list of container images managed by github.com/kubernetes/release

I can help with that!

@tengqm
Copy link

tengqm commented Jul 31, 2021

/cc

@vinayakankugoyal
Copy link

I'd love to help with. Evaluate go vuln-db tool as an additional scanning tool and any of the Container Images - tasks.
I remember use talking about automation for updating k8s with latest debian-[base, iptables] images. Are we tracking that in this? I'd love to help with that.

@PushkarJ
Copy link
Member Author

/transfer sig-security

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/community Sep 14, 2021
@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. area/dependency Issues or PRs related to dependency changes committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 14, 2021
@k8s-ci-robot
Copy link
Contributor

@PushkarJ: The label(s) area/config, area/testing, area/code-organization, area/release-eng, area/release-eng/security cannot be applied, because the repository doesn't have them.

In response to this:

Goal: Implement automated scanning capabilities that are tool agnostic for identifying vulnerabilities in Kubernetes related artifacts, followed by a documented private triage process to resolve the identified vulnerability, with a programmable way for Kubernetes users to consume this vulnerability information.

Background

Over the years, multiple different community members in Security Response Committee (formerly PSC), SIG Release, Architecture, Security, Auth have contributed to several standalone efforts related to vulnerability management for https://github.com/kubernetes/kubernetes. We have made tremendous progress but there are still some opportunities to improve :-)

Scope

This issue is created to act as a single place to find current state of the work, in progress and planned work that fall in the overall theme of vulnerability management of Kubernetes artifacts. In scope artifacts include but are not limited to build time dependencies and container images. Adding any missing issues or related work as a comment is encouraged :-)

Artifact Vulnerability Scanning

Build time Dependencies

Container Images

Triage Policy Definition and Implementation

Related Issues and PRs

/sig security release architecture auth
/area config testing code-organization dependency release-eng release-eng/security
/committee product-security
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@PushkarJ PushkarJ mentioned this issue Sep 14, 2021
Closed
@reylejano reylejano mentioned this issue Oct 8, 2021
Merged
@PushkarJ PushkarJ added this to In progress in sig-security-tracker Oct 25, 2021
@PushkarJ PushkarJ moved this from In progress to Umbrella issues in sig-security-tracker Oct 25, 2021
@enj enj moved this from Needs Triage to Backlog in SIG Auth Old Dec 13, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 25, 2021
@reylejano
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 27, 2021
@nehaLohia27 nehaLohia27 mentioned this issue Jan 4, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 27, 2022
@PushkarJ
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 28, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 27, 2022
@PushkarJ
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 27, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 25, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 24, 2023
@PushkarJ
Copy link
Member Author

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 24, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 13, 2023
@PushkarJ
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 13, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 24, 2024
@PushkarJ
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 25, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 18, 2024
@puerco
Copy link
Member

puerco commented Jun 18, 2024

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 18, 2024
@PushkarJ PushkarJ mentioned this issue Jun 27, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PushkarJ PushkarJ

Labels
area/dependency Issues or PRs related to dependency changes committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/feature Categorizes issue or PR as related to a new feature. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
SIG Auth
Status: Backlog
sig-security-tracker
Umbrella issues
SIG Auth Old
Backlog
Milestone
No milestone
Development

No branches or pull requests
7 participants
@PushkarJ @vinayakankugoyal @puerco @tengqm @k8s-ci-robot @reylejano @k8s-triage-robot