Favorite Social Media Timesink
When you take a break from work, where are you going?
Video clips on TikTok/YouTube
X, Bluesky, Mastodon et al...
Web surfing
I do not get distracted by petty amusements
Kubernetes / Security

Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s

Scanning applications and code for vulnerabilities is a standard practice. But why stop there? Aqua wanted to bring to Kubernetes the same level of security.
Dec 4th, 2023 12:16pm by
Featued image for: Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s

Kubernetes, often dubbed the “operating system of the cloud,” is a complex and critical piece of infrastructure in modern cloud native environments. Ensuring its security is paramount, given its intricate composition. In order for organizations to better understand the components within their Kubernetes environment and to substantially reduce risk, Aqua Security’s Trivy open source security scanner has introduced the Kubernetes Bill of Materials (KBOM).

The Gap in Kubernetes Security

Traditionally, Kubernetes security tools focused on misconfiguration and hardening. Standards for Kubernetes security were developed, such as Kubernetes’ Pod Security Policy, CIS’s Benchmark for Kubernetes, NSA/CISA’s Kubernetes Hardening Guide, and more. Aqua Security also released the open source cluster assessment tool “kube-bench,” which is incredibly popular. However, a significant gap persisted in assessing vulnerabilities within Kubernetes clusters themselves. This is particularly crucial given Kubernetes’ central role in cloud infrastructure.

The Rise of SBOM

While vulnerability scanning for Kubernetes clusters was neglected, scanning of application code and artifacts was blooming. The practice evolved over time and peaked with the popularization of the software bill of materials (SBOM) a couple of years ago. As a veteran in vulnerability scanning, Aqua Security was already leveraging the principles behind SBOMs in our offerings, but the standardization and interoperability that SBOMs brought to the industry truly signaled the maturity of the vulnerability assessment practice. Today, scanning your applications and code for vulnerabilities is a standard practice. But why stop there? We wanted to bring to Kubernetes the same level of acceptance and adoption of SBOMs in the applicative domain.

Introducing KBOM

By analyzing your Kubernetes cluster with KBOM, Trivy generates a comprehensive manifest of all components used in it. This is analogous to SBOM, which focuses on workloads, but KBOM is exploring the Kubernetes cluster’s own composition. Which kubelet are you running on which node? What kind of container network interface (CNI) are you using? These are questions that KBOM was designed to answer.

Kubernetes is a complex system with many moving parts that are sometimes separately installed and configured. A Kubernetes distribution bundles select core Kubernetes components with additional necessary components to create a usable Kubernetes cluster. Accurately mapping the composition of a Kubernetes cluster not only helps a user, developer or cluster admin in maintaining the system, but also paves the way for accurate vulnerability assessments.

KBOM for Vulnerabilities

Built on the foundations of KBOM, Trivy can now offer a full vulnerability assessment of Kubernetes clusters and their core components. This leverages the official Kubernetes CVE feed, which is curated by Aqua Security to make it compatible with KBOM. This marks a significant step forward in providing full-fledged Kubernetes security.

Figure 1: Trivy found vulnerabilities in Kubernetes component api-server

Closing the Gap

If we think about Kubernetes as the “operating system of the cloud,” we hold it to the same standards as other operating systems when it comes to security and vulnerabilities. Trivy is already the prominent vulnerability scanner for existing operating systems, and with its recent addition of KBOM and Kubernetes vulnerability scanning, it’s completing another important milestone.

Join the Trivy community and star in on GitHub.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Aqua Security.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.