KlustAIR Scanner
The Klustair scanner scanns your Kubernetes namespaces for the used images and submits them to Anchore. This is the scanner part.
INFORMATION This runner is deprecated in favor of the new klustair-cli. For Klustair newer than v0.6.0 please use the klustair-cli written in GO.
Related Klustair projects:
- Klustair Frontend to view the scanner results
- Klustair Helm charts to spin up Anchore and Klustair
Related opensource projects
- trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts
- (DEPRECATED) anchore-engine A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
- kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls
Requirements
- Python 3
- Running Anchore (See docker-compose-anchore.yaml)
Usage
usage: runner.py [-h] [-v] [-n NAMESPACES] [-N NAMESPACESBLACKLIST]
[-k KUBEAUDIT] [-l LABEL] [-a] [-t] [-c TRIVYCREDENTIALS]
optional arguments:
-h, --help show this help message and exit
-v, --verbose increase output verbosity
-n NAMESPACES, --namespaces NAMESPACES
Coma separated whitelist of Namespaces to check
-N NAMESPACESBLACKLIST, --namespacesblacklist NAMESPACESBLACKLIST
Coma separated blacklist of Namespaces to skip
-k KUBEAUDIT, --kubeaudit KUBEAUDIT
Coma separated list of audits to run. default: 'all',
disable: 'none'
-l LABEL, --label LABEL
A optional title for your run
-a, --anchore Run Anchore vulnerability checks
-t, --trivy Run Trivy vulnerability checks
-c TRIVYCREDENTIALSPATH, --trivycredentialspath TRIVYCREDENTIALSPATH
Path to repo credentials for trivy
-ld LIMITDATE, --limitDate LIMITDATE
Remove reports older than X days
-ln LIMITNR, --limitNr LIMITNR
Keep only X reports
-C CONFIGKEY, --limitNr CONFIGKEY
Load remote configuration from frontend
-H APIHOST, --limitNr APIHOST
Remote API-host address [example: https://localhost:8443]
ENV vars
export KLUSTAIR_NAMESPACES=
export KLUSTAIR_NAMESPACEBLACKLIST=
export KLUSTAIR_KUBEAUDIT=
export KLUSTAIR_TRIVYCREDENTIALSPATH=
Run in Docker
cp .env.example .env
vim .env
docker-compose up -d
or
docker-compose up -d -e PATH_LOCAL_KUBECONFIG=~/.kube/config
Start Anchore locally
curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose-anchore.yaml
docker-compose -f docker-compose-anchore.yaml up -d
develop
python3 -m venv env
source env/bin/activate
pip install -r requirements.txt
deactivate
build
cp .env.example .env
vim .env
docker compose build
or
docker compose build