Vulnerability-exporter - A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Kubernetes Vulnerability Exporter

A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Abstract

! This project is under development.

Vulnerability exporter scan and export vulnerabilities of images and nodes in kubernetes cluster.

Inspirated by kube-trivy-expoter.

Image Scan

Image Scan scans for vulnerabilities in container images of workloads deployed in kubernetes.

trivy_image_vulnerabilities{namespace="argocd", fixedVersion="0.3.3", image="ghcr.io/dexidp/dex:v2.27.0", installedVersion="v0.3.2",layer="sha256:d8d076827e5aadd843d9da261228639f575be6e840b463e99381e6d861be90fc", pkgName="golang.org/x/text", severity="HIGH", vulnerabilityId="CVE-2020-14040", workloadKind="Deployment", workloadName="argocd-dex-server"}

View metrics by using Grafana

image_scan_metrics

Node Scan

Image Scan scans vulnerabilities of the nodes of kuberntes cluster.

trivy_node_vulnerabilities{fixedVersion="0.12.3", installedVersion="0.12.2",nodeName="master-node", pkgName="Flask", severity="HIGH" vulnerabilityId="CVE-2018-1000656"}

View metrics by using Grafana

node_scan_metrics

Installation

$ kubectl apply -k deploy
Similar Resources

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Table of contents 1. About 2. Getting started 2.1. Requirements 2.2. Installation 3. Usage 3.1. CLI Usage 3.2. Using Docker 3.3. Older versions 3.4. U

Jan 7, 2023

📡 Prometheus exporter that exposes metrics from SpaceX Starlink Dish

📡  Prometheus exporter that exposes metrics from SpaceX Starlink Dish

Starlink Prometheus Exporter A Starlink exporter for Prometheus. Not affiliated with or acting on behalf of Starlink(™) 📡 Starlink Monitoring System

Dec 19, 2022

Prometheus exporter for Chia node metrics

chia_exporter Prometheus metric collector for Chia nodes, using the local RPC API Building and Running With the Go compiler tools installed: go build

Sep 19, 2022

NVIDIA GPU metrics exporter for Prometheus leveraging DCGM

DCGM-Exporter This repository contains the DCGM-Exporter project. It exposes GPU metrics exporter for Prometheus leveraging NVIDIA DCGM. Documentation

Dec 27, 2022

Prometheus exporter for Amazon Elastic Container Service (ECS)

ecs_exporter 🚧 🚧 🚧 This repo is still work in progress and is subject to change. This repo contains a Prometheus exporter for Amazon Elastic Contai

Nov 27, 2022

Prometheus exporter for DeadMansSnitch

DeadMansSnitch Exporter Prometheus exporter for DeadMansSnitch information (snitches) Configuration Usage: deadmanssnitch-exporter [OPTIONS] Applic

Apr 6, 2022

A prometheus exporter for monitoring FIO nodeos nodes.

A prometheus exporter for monitoring FIO nodeos nodes.

fio-prometheus-exporter This is a simple prometheus exporter for FIO nodeos nodes. It can connect to multiple nodes to display a few critical statisti

Aug 19, 2022

A Prometheus exporter, written in Golang, for Magento 2

Magento 2 Prometheus Exporter A Prometheus exporter, written in Golang, for Magento 2. Philosophy It might be abnormal to start with the "philosophy"

May 3, 2022

Prometheus exporter for podman

Prometheus exporter for podman Exports the following metrics for each running container CPU Usage Memory Usage Netowrk Usage Block Usage Output Exampl

Jul 5, 2022
Comments
  • Bug: Cannot scan images in cluster

    Bug: Cannot scan images in cluster

    While testing your promising project, I got multiple issues with image scanning manifesting themselves with log a message as follows:

    W0125 13:00:47.694272       1 image.go:112] failed to scan image(quay.io/prometheus/alertmanager:v0.23.0): failed to execute trivy image: exit status 1: 2022-01-25T13:00:47.692Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
    

    This is happening for all containers.

    The application was installed using manifests in deploy directory but in a different namespace. All namespace-related settings were amended.

    I can provide more info if needed, just tell me what you need :)

  • Not working with Bottlerocket OS / containerd runtime

    Not working with Bottlerocket OS / containerd runtime

    Hi,

    i have tested it on AWS EKS and Bottlerocket OS. And it is not working:

    I0203 07:15:50.989758 1 root.go:80] Start vulnerability-exporter │ │ W0203 07:16:23.033610 1 image.go:124] failed to scan image(602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): failed to execute trivy image: exit status 1: 2022-02-03T07:16:22.986Z FATAL │ │ * unable to inspect the image (602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.1): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? │ │ * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory

    Bottlerocket use containerd and not docker runtime.

    Versions:

    EKS: v1.21.5-eks-bc4871b AMI: bottlerocket-aws-k8s-1.21-x86_64-v1.5.2-1602f3a8 Image: ghcr.io/hnts/vulnerability-exporter:v0.1.1

  • Trivy scanner detects critical vulnerability

    Trivy scanner detects critical vulnerability

    Please fix: github.com/containerd/containerd

    ghcr.io/hnts/vulnerability-exporter@sha256:0f5de554a9fd29f5293206bbdf4a755d7bdfcb2936e7afc3ca703de2f9426037 (alpine 3.15.0)
    ================================================================================================================================================
    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    
    
    bin/vulnerability-exporter (gobinary)
    =====================================
    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    
    
    usr/local/bin/trivy (gobinary)
    ==============================
    Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
    
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    |               LIBRARY                | VULNERABILITY ID | SEVERITY |          INSTALLED VERSION           | FIXED VERSION |                 TITLE                 |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    | github.com/containerd/containerd     | CVE-2021-43816   | CRITICAL | v1.5.8                               | 1.5.9         | containerd: Unprivileged pod          |
    |                                      |                  |          |                                      |               | may bind mount any privileged         |
    |                                      |                  |          |                                      |               | regular file on disk...               |
    |                                      |                  |          |                                      |               | -->avd.aquasec.com/nvd/cve-2021-43816 |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    | github.com/opencontainers/image-spec | GMS-2021-101     | UNKNOWN  | v1.0.2-0.20190823105129-775207bd45b6 | 1.0.2         | Clarify `mediaType` handling          |
    +--------------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
    
Openvpn exporter - Prometheus OpenVPN exporter For golang

Prometheus OpenVPN exporter Please note: This repository is currently unmaintain

Jan 2, 2022
Json-log-exporter - A Nginx log parser exporter for prometheus metrics

json-log-exporter A Nginx log parser exporter for prometheus metrics. Installati

Jan 5, 2022
Amplitude-exporter - Amplitude charts to prometheus exporter PoC

Amplitude exporter Amplitude charts to prometheus exporter PoC. Work in progress

May 26, 2022
Netstat exporter - Prometheus exporter for exposing reserved ports and it's mapped process

Netstat exporter Prometheus exporter for exposing reserved ports and it's mapped

Feb 3, 2022
Kepler (Kubernetes-based Efficient Power Level Exporter) uses eBPF to probe energy related system stats and exports as Prometheus metrics
Kepler (Kubernetes-based Efficient Power Level Exporter) uses eBPF to probe energy related system stats and exports as Prometheus metrics

kepler Kepler (Kubernetes Efficient Power Level Exporter) uses eBPF to probe energy related system stats and exports as Prometheus metrics Architectur

Dec 26, 2022
A standalone exporter for vulnerability reports and other CRs created by Starboard.

starboard-exporter Exposes Prometheus metrics from Starboard's VulnerabilityReport custom resources (CRs). Metrics This exporter exposes two types of

Dec 14, 2022
Export Prometheus metrics from journald events using Prometheus Go client library

journald parser and Prometheus exporter Export Prometheus metrics from journald events using Prometheus Go client library. For demonstration purposes,

Jan 3, 2022
Nvidia GPU exporter for prometheus using nvidia-smi binary
Nvidia GPU exporter for prometheus using nvidia-smi binary

nvidia_gpu_exporter Nvidia GPU exporter for prometheus, using nvidia-smi binary to gather metrics. Introduction There are many Nvidia GPU exporters ou

Jan 5, 2023
Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using HPE Smart Storage Administrator tool

hpessa-exporter Overview Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using

Jan 17, 2022
🔭 Kubernetes out-cluster vulnerability scanner
🔭 Kubernetes out-cluster vulnerability scanner

Kubnerable Kubnerable is an out-cluster vulnerability scanner tool for Kubernetes resources. It comes with a predefined vulnerability database (vulner

Mar 26, 2022