The cloud-native security open source project CNSI (project code name: Narrows) released version 0.4, adding the "cnsi-scanner-trivy" component to help users more easily scan workloads for vulnerabilities. Using this component can also be very convenient to scan software package vulnerabilities, misconfigurations, and license information in the image. In addition, this version introduces Redis DB to store scan results. After configuring the mirror scanner, you can use Trivy for mirror scanning.
At the same time, the installation and deployment scripts have been updated in this version .
The specific way to use it is as follows:
First clone the code of CNSI , and use the deploy.sh script to install and deploy.
Clone code:
git clone [email protected]:vmware-tanzu/cloud-native-security-inspector.git
Switch directories for installation and deployment:
cd cloud-native-security-inspector
./deploy.sh install
After the installation is complete, "cnsi-scanner-trivy" will be deployed in the Kubernetes cluster as a deployment , and corresponding configurations and services will be created. You can view the corresponding configuration:
At the same time, cnsi-scanner-trivy will expose two endpoints ( corresponding to /scan and /scan/{scan_request_id}/report in the figure below ) , which are used to request to scan the corresponding container and return the corresponding scan result.
At the same time, the cluster of cnsi-scanner-redis will not be deployed in Kubernetes. Redis is responsible for storing the report data scanned by Trivy. The specific structure is as follows:
After the user logs in to the CNSI portal , on the policy creation page, when the user chooses to enable the inspector scanner, when each scan is triggered, it will first try to use the scanner in the cluster to scan for the user and generate Report.
Afterwards, the scan results can be obtained by clicking the Reports -> Image Risks Reports menu.
The following figure is the report content in the generated scan results:
It contains information about vulnerabilities in the image and a list of configuration files.
At the same time, users can also choose to scan for vulnerabilities on the command line.
Run the following command to get the pod name of the trivy scanner :
kubectl has po -n cnsi-system
Use the following command to scan any specified mirror and obtain the results through the command line.
kubectl exec -n cnsi-system cnsi-scanner-trivy-6bf77df5d-xwhjz -- trivy image --scanners config,vuln,license grafana/grafana
Narrows has been open sourced by VMware, using the commercially friendly Apache 2.0 software license, which is convenient for users to expand and innovate. Users are welcome If you are interested in the Narrows open source project, would like to work more closely with us, or would like to test and try out, make suggestions or bugs , please email [email protected] .
Content Source|Public Account: VMware China R&D Center
If you have any questions, please scan the official account below to contact us~