Project Description
The goal of the project is to explore the open source projects that: - generate automatically a sBOM (software Bill Of Materials) of artifacts (VM images / containers). - use the sBOM (or scan the artifact themself) to look for known vulnerabilities.
Goal for this Hackweek
The goal for the week would be to have a clear view of the open source projects in that space. Have some cli tool/ script to automate the sBOM/ vuln report generation for some artifacts.
Resources
None for now...:wink:
Looking for hackers with the skills:
This project is part of:
Hack Week 21
Activity
Similar Projects
vex8s-controller: a kubernetes controller to automatically generate VEX documents of your running workloads by agreggi
Description
vex8s-controller is an add-on for SBOMscanner project.
Its purpose is to automatically generate VEX documents based on the workloads running in a kubernetes cluster. It integrates directly with SBOMscanner by monitoring VulnerabilityReports created for container images and producing corresponding VEX documents that reflect each workload’s SecurityContext.
Here's the workflow explained:
- sbomscanner scans for images in registry
- generates a
VulnerabilityReportwith the image CVEs - vex8s-controller triggers when a workload is scheduled on the cluster and generates a VEX document based on the workload
SecurityContextconfiguration - the VEX document is provided by vex8s-controller using a VEX Hub repository
- sbomscanner configure the VEXHub CRD to point to the internal vex8s-controller VEX Hub repository
Goals
The objective is to build a kubernetes controller that uses the vex8s mitigation rules engine to generate VEX documents and serve them through an internal VEX Hub repository within the cluster.
SBOMscanner can then be configured to consume VEX data directly from this in-cluster repository managed by vex8s-controller.
Resources