cncf-seccon-na-2023-unpacking-open-source-security-in-public-repos-and-registries-final.pdf

1、Unpacking Open Source Security in Public Repos&RegistriesCraig Box VP OSS and Ben Hirschberg CTOBen Hirschberg Co-founder&CTO ARMOKubescape maintainerWhitehat in the past(unofficially still;-)Fluent in Hebrew,Hungarian,C,ASM and Go(not English)Contributor in CNCF+organizer of CNCF JerusalemFather of

2、 4 3/who_am_iBen Hirschbergslashben81Ben- point_Kubescape is here to tell you whats wrongWith YAML/Helm charts in your Git repositories and CI processesIn your clustersIn your container registriesMore important to tell how to fix and prioritization of the issuesARMO Platform is a cloud service(beyon

3、d other things)storing KS resultsSecurity issuesVulnerabilitiesGIT repositoriesContainer registries179Registries43,539Images1,914Repositories164,887Files scanned/Container image scansComparing the whole sample to the sub-sample of graduated projectsReviewing thedistribution of severitiesReviewing to

4、p CVEs in bothTime of publishing fixesRelevancy/Image repos with most scans in the general sampleTop count of repo#workload image scansquay.io/argoproj/argocd19,426docker.io/bitnami/redis13,308quay.io/argoproj/argoexec11,427quay.io/prometheus-operator/prometheus-config-reloader11,275quay.io/kiwigrid

5、/k8s-sidecar6,581quay.io/prometheus/prometheus6,390docker.io/bitnami/mongodb6,312quay.io/prometheus/node-exporter5,569gcr.io/datadoghq/agent5,404/Image tags with most scans in the graduated sampleTop count of repo#workload image scansquay.io/argoproj/argocd19,426quay.io/argoproj/argoexec11,427quay.i

6、o/prometheus-operator/prometheus-config-reloader11,275quay.io/prometheus/prometheus6,390quay.io/prometheus/node-exporter5,569quay.io/prometheus/alertmanager4,172quay.io/prometheus-operator/prometheus-operator4,088registry.k8s.io/kube-proxy3,530registry.k8s.io/kube-state-metrics/kube-state-metrics3,0