Kubernetes Native, Runtime Container Image Scanning
Harness your existing Container Image Vulnerability Scanning information to your Kubernetes Cluster. iskan enables you to:
Download the latest from the release page
curl https://raw.githubusercontent.com/alcideio/iskan/master/download.sh | bash
iskan --cluster-context mycluster --api-config myconfig.yaml
Get vulnerabilities information on the presently running containers
Usage:
iskan cluster [flags]
Aliases:
cluster, scan-cluster
Flags:
-c, --api-config string The Vulnerability API configuration file name
--cluster-context string Cluster Context .use 'kubectl config get-contexts' to list available contexts
--filter-cvss float32 Include CVEs with CVSS score greater or equal than the specified number. Valid values: 0.0-10.0
--filter-fixable-only Include CVEs with which are fixable
--filter-severity string Select which severities to include. Comma seperated MINIMAL,LOW,MEDIUM,HIGH,CRITICAL
-f, --format string Output format. Supported formats: json | yaml | html (default "json")
-h, --help help for cluster
--namespace-exclude string Namespaces to exclude from the scan (default "kube-system")
--namespace-include string Namespaces to include in the scan (default "*")
-o, --outfile string Output file name. Use '-' to output to stdout (default "alcide-iskan.report")
-r, --report-config string The Report configuration file name
--scan-api-burst int32 Maximum burst for throttle (default 100)
--scan-api-qps float32 Indicates the maximum QPS to the vuln providers (default 30)
Global Flags:
-v, --v Level number for the log level verbosity
providers:
- kind: "gcr"
repository: "gcr.io/yourproject"
creds:
gcr: |
{
"type": "service_account",
"project_id": "yourproject",
"private_key_id": "XXX",
"private_key": "",
"client_email": "[email protected]",
"client_id": "666",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/imagevulreader%40yourproject.iam.gserviceaccount.com"
}
- kind: "ecr"
repository: "yourawsaccount.dkr.ecr.us-west-2.amazonaws.com/iskan"
creds:
ecr:
accessKeyId: AWSKEY
secretAccessKey: AWSSECRET
region: us-west-2
- kind: "acr"
repository: "alcide.azurecr.io/iskan"
creds:
acr:
tenantId: mytenantid
subscriptionId: subscrrptionId
clientId: clientId
clientSecret: clientsecret
cloudName: "AZUREPUBLICCLOUD"
- kind: "trivy"
# Use "*" for a capture all images
repository: "*"
creds:
trivy:
debugMode: false
- kind: "harbor"
repository: "core.harbor.domain"
creds:
harbor:
host: "core.harbor.domain"
username: admin
password: Harbor12345
insecure: false
- kind: "insightvm"
repository: "alcide/iskan"
creds:
insightvm:
apikey: "your-api-key"
region: "us"
Provider | References |
---|---|
ECR | ECR Policies, ECR Image Scanning |
GCR | Enabling the Container Scanning API |
ACR | Azure Defender, Vulnerability Assessment in Azure |
InsightVM | InsightVM Container Security |
Harbor | Harbor Administration |
Trivy | Trivy on GitHub |
The primary use case for this is to test your vulnerability provider api configuration
Get vulnerabilities information for a given container image
Usage:
iskan image [flags]
Aliases:
image, scan-image, i, container, scan-container
Examples:
iskan image --image="gcr.io/myproj/path/to/myimage:v1.0" --api-config myconfig.yaml -f table --filter-severity CRITICAL,HIGH
Flags:
-c, --api-config string The Vulnerability API configuration file name
--filter-cvss float32 Include CVEs with CVSS score greater or equal than the specified number. Valid values: 0.0-10.0
--filter-fixable-only Include CVEs with which are fixable
--filter-severity string Select which severities to include. Comma seperated MINIMAL,LOW,MEDIUM,HIGH,CRITICAL
-f, --format string Output format. Supported formats: json | yaml | table (default "json")
-h, --help help for image
-i, --image string container image for which vulnerabilities information should be obtained
Global Flags:
-v, --v Level number for the log level verbosity
If you think you have found a bug please follow the instructions below.
If you have an idea to enhance iskan follow the steps below.