CoPA – Patch container vulnerabilities on the fly
an idea by pohanhuang
Updated 14 days ago. 2 hacker ♥️. 1 follower. Has no hacker: grab it!

Description

A Kubernetes controller prototype that integrates sbomscanner with automated vulnerability patching using copa. The tool automatically detects vulnerabilities in container images through VulnerabilityReport CRs and generates patched images by applying minimal security updates.

Key Features

  • Automatic Detection: Watches VulnerabilityReport CRs created by sbomscanner for container images with vulnerabilities
  • Intelligent Filtering: Automatically skips images that have already been patched (tag contains -patch suffix)
  • On-Demand BuildKit: Automatically provisions BuildKit infrastructure using BuildKit operator when needed
  • Format Transformation: Converts sbomscanner's VulnerabilityReport format to Trivy JSON format required by copa
  • Automated Patching: Executes copa patch CLI to apply security patches and build patched container images
  • Registry Integration: Automatically pushes patched images to the registry with a new tag (original-tag-patch)
  • State Tracking: Creates PatchJob CRs to track patching completion and prevent duplicate processing

Integration Points

  • sbomscanner: Consumes VulnerabilityReport CRs as input (read-only)
  • copa: Uses copa CLI tool to patch container images based on vulnerability reports
  • BuildKit: Dynamically creates BuildKit instances per registry for image building operations

Goals

  1. Integrate sbomscanner output with patch generation logic

    • Transform VulnerabilityReport format (sbomscanner) to Trivy JSON format
    • Extract vulnerability information and image metadata
    • Pass formatted data to copa for patching

  2. Automate the patching workflow

    • Automatically detect new vulnerability reports
    • Provision required infrastructure (BuildKit) on-demand
    • Execute patching operations without manual intervention
    • Track patching status and prevent duplicate work

  3. Provide Kubernetes-native solution

    • Use CRDs for state management (PatchJob)
    • Follow controller-runtime patterns
    • Integrate with existing Kubernetes tooling (BuildKit operator)

Reference

  • Implementation
  • sbomscanner : Provides VulnerabilityReport CRs that contain vulnerability scan results for container images
  • copa: CLI tool that patches container images by applying security updates based on vulnerability reports

No Hackers yet

Join this project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 25

Activity

  • 17 days ago: pgonin liked this project.
  • 18 days ago: williamshen liked this project.
  • 18 days ago: pohanhuang originated this project.


    • Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!