Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support verifying vulnerability reports of a container image at admission #1096

Closed
1 task
yizha1 opened this issue Sep 25, 2023 · 0 comments · Fixed by #1173
Closed
1 task

Support verifying vulnerability reports of a container image at admission #1096

yizha1 opened this issue Sep 25, 2023 · 0 comments · Fixed by #1173
Assignees
@akashsinghal
Labels
enhancement New feature or request
Milestone
v1.1.0

Comments

@yizha1
Copy link
Collaborator

yizha1 commented Sep 25, 2023
edited
Loading

What would you like to be added?

Vulnerability reports for a container image are documents that record all the vulnerabilities found in the image during a vulnerability assessment scan. These reports provide a detailed list of the vulnerabilities indexed by severity and often include suggestions for fixing them. Vulnerability reports are essential for vulnerability management and help organizations understand the security risks. The vulnerability report can be in a SARIF format. Ratify should support verifying vulnerability report and provide data for admission policy to make decision.

Besides vulnerability report, Ratify should support evaluating VEX (Vulnerability Exploitability eXchange) document, which allows software producers to classify and label the vulnerabilities in their software. VEX is a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities. It provides clarity on the vulnerabilities that pose risk and the ones that do not.

Scenario-1: Users can define an admission policy that can verify the integrity and authenticity of a vulnerability report during deployment. This policy can audit and prevent vulnerability report evaluation if the report is not signed.

Scenario-2: Users can define an admission policy that can evaluate the vulnerability report during deployment. This policy can audit and prevent image deployment if the latest report is older than days.

Scenario-3: Users can define an admission policy that can evaluate the vulnerability report during deployment. This policy can audit and prevent image deployment if specific vulnerabilities are found in the latest report. The VEX document, if available, can be used to filter false positives from the report.

Scenario-4: Users can define an admission policy that can evaluate the vulnerability report during deployment. This policy can audit and prevent image deployment if the number of critical or high-level vulnerabilities is not meeting SLA in the latest report. The VEX document, if available, can be used to filter false positives from the report.

Anything else you would like to add?

Detailed experience will be updated later.

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@yizha1 yizha1 added enhancement New feature or request triage Needs investigation labels Sep 25, 2023
@akashsinghal akashsinghal self-assigned this Sep 25, 2023
@luisdlp luisdlp added this to the v1.1.0-beta.0 milestone Sep 27, 2023
@luisdlp luisdlp removed the triage Needs investigation label Sep 27, 2023
@akashsinghal akashsinghal mentioned this issue Nov 15, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akashsinghal akashsinghal

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

feat: add vulnerability report verifier akashsinghal/ratify
3 participants
@luisdlp @akashsinghal @yizha1