wagoodman / kubecon-2021
๐ฅ Clone
https://github.com/wagoodman/kubecon-2021.git
Kubecon 2021 - Syft, Grype, and Tekton
From the Cloud Native Security Conference 2021 talk "Not-So-Fantastic Leaks, and Where to Find Them In Containers".
This repo contains a Tekton pipeline and related tasks to build, validate, and publish a container image of a sample application.
The main concept behind this pipeline is to build your image and perform all validations before publishing to your registry. Validations are typically much faster to perform on an SBOM generated from your image rather than continually operating on the image for each validation. Additionally, this means you get an SBOM of your container image that you can publish at the end of your pipeline.
Image building is done with Kaniko, SBOM generation and secrets scanning with Syft, vulnerability scanning with Grype, container image publishing with Skopeo, and SBOM attachment and publishing with Cosign.
Getting started
You will need:
- A kubernetes cluster (1.20+ preferred)
If you plan to publish to a registry, then you will need to set the following environment variables on your host:
CONTAINER_REGISTRY_SERVER(e.g. 'https://ghcr.io')CONTAINER_REGISTRY_USERCONTAINER_REGISTRY_PASSWORD
Usage
- Install tekton:
make install-tekton- Install pipeline, tasks, and a fake secret for the demo
make install install-fake-secret- Run the pipeline for all scenarios (one run with quality gate failures, another run after remediations):
make run-all-scenariosIf you want to follow along in the Tekton dashboard UI and you have a local Kubernetes cluster:
- Run a proxy:
kubectl proxyTeardown
- Uninstall tekton:
make uninstall-tekton