Skip to content
/ starboard-aqua-csp-webhook Public

The image scan results webhook configurable in Aqua CSP management console to integrate with the Starboard tool kit.

github.com/aquasecurity/starboard

License

Apache-2.0 license
5 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aquasecurity/starboard-aqua-csp-webhook

BranchesTags

Repository files navigation

build

Starboard Aqua CSP Webhook

This webhook is the image scan results webhook configurable in Aqua CSP management console to integrate with the Starboard tool kit.

TOC

Getting started

  1. Build Docker image:

    $ make docker-build

  2. Deploy webhook on Kubernetes in the starboard namespace:

    $ kubectl apply -f ./kube/webhook.yaml

  3. Create custom resource definitions used by Starboard:

    $ kubectl starboard init

    or

    $ export GOPRIVATE=github.com/aquasecurity/starboard
$ kubectl apply -f https://github.com/aquasecurity/k8s-security-crds/blob/master/kube/crd/vulnerabilities-crd.yaml

  4. Configure Starboard webhook in Aqua CSP management console:

How does it work?

The webhook transforms received scan report to an instance of the vulnerabilities.aquasecurity.github.com resource and saves it in the starboard namespace. The name of the resource is the image digest.

$ kubectl get vulnerabilities -n starboard
NAME                                                                      AGE
sha256.ef74351b551c96630769bf9278845bcf7f71417850f0b3d240d99003573200cd   10s

apiVersion: aquasecurity.github.com/v1alpha1
kind: Vulnerability
metadata:
  name: sha256.ef74351b551c96630769bf9278845bcf7f71417850f0b3d240d99003573200cd
  namespace: starboard
report:
  generatedAt: "2020-04-17T18:44:37Z"
  scanner:
    name: Aqua CSP
    vendor: Aqua Security
  summary:
    criticalCount: 14
    highCount: 2
    lowCount: 7
    mediumCount: 0
    unknownCount: 0
  vulnerabilities:
  - description: runuser in util-linux allows local users to escape to the parent
      session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's
      input buffer.
    fixedVersion: ""
    installedVersion: 2.29.2-1+deb9u1
    links:
    - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779
    - https://security-tracker.debian.org/tracker/CVE-2016-2779
    resource: "runuser"
    severity: CRITICAL
    vulnerabilityID: CVE-2016-2779

Configuration

Configuration of the webhook is done via environment variables at startup.

Name Default Description
STARBOARD_WEBHOOK_LOG_LEVEL info The log level of trace, debug, info, warn, warning, error, fatal or panic. The standard logger logs entries with that level or anything above it.
STARBOARD_WEBHOOK_API_ADDR :4000 Binding address for the API server
STARBOARD_WEBHOOK_STARBOARD_NAMESPACE starboard Starboard namespace

License

This repository is available under the Apache License 2.0.

About

The image scan results webhook configurable in Aqua CSP management console to integrate with the Starboard tool kit.

github.com/aquasecurity/starboard

Topics

webhook poc starboard aqua-csp

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

5 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages