Vex8s: generates VEX documents correlating container vulnerabilities with Kubernetes securityContext to determine which CVEs are actually exploitable.
a project by agreggi
Updated about 4 hours ago. No love. 1 follower.

Description

The project aims to assess the exploitability of known CVEs within Kubernetes workloads by combining vulnerability classification and securityContext analysis.

Goals

It is based on the following concept:

  • Each CVE is categorized into one or more vulnerability classes (CWE)
  • Each class maps to a set of Kubernetes securityContext settings that can block or reduce the impact.
  • By parsing a Kubernetes manifest, we can inspect the container's securityContext to evaluate whether the relevant settings are in place.
  • Combining both analyses allows the system to determine if a CVE is exploitable in a given workload configuration.
  • If it results in a CVE mitigation, we add this to the final VEX document.

The goal is to create a flexible project that reduces false positives when scanning for vulnerabilities.

Resources

https://github.com/alegrey91/vex8s

Join this project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 25

Activity

  • about 4 hours ago: agreggi started this project.
  • about 5 hours ago: agreggi originated this project.


    • Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!