Security in the Kubernetes era

In the kubernetes times we used images. They are not pictures, they are small computers I think.

Images consist of something like an operating system, and then the actual code. Code has vulnerabilities. Operating systems and code are made of code. So there are two places to look for vulnerabilities.

Okay, so we see if the operating system has vulnerabilities, and if the code has vulnerabilities. The code can have vulnerabilities in libraries it depends on, or in the written code, or in the standard library of the programming language. But this is still just all code. Here is the list:

1. Vulnerabilities in the operating system
2. Vulnerabilities in the programming language
3. Vulnerabilities in the dependencies
4. Vulnerabilities in your own code

There are databases with publicly known vulnerabilities: Common Vulnerabilities and Exposures databases. The first two items will be covered by these databases, and probably the third if it's a well-known library. Vulnerabilities in your own code are not publicly known.

Okay, so you have your image. You scan it with a tool that uses CVE databases. It will find vulnerabilities in 1, 2 and some of 3. Then you need a tool that finds vulnerabilities in your own codebase, and preferably a tool that finds vulnerabilities in dependencies not in the CVE databases. Here is one that does it all.

What to do when you find a vulnerability? If it's a CVE, check if it's been fixed in a newer version. If so, upgrade to that. If it is in your own code, fix the problem. An example of a vulnerability is a Structured Query Language Injection.

Trivy solves the CVE stuff, you scan your image and that gives you 1, 2 and most of 3. This is what trivy checks for. Then you scan your own code using something like GitHub Code Seucrity, which checks for this, i.e. 2, 3 and 4 I think. Ignore everything but vulnerabilities for your own code and development code that isn't part of the image from the github results.

It's nice to get a PR that removes the vulnerability for you. Or an issue with the details. Example issues:

• Update the alpine base image to 0.4.1 to get rid of 4 vulnerabilities
• Update erlang to 27.2 to get rid of 2 vulnerabilities
• Update npm package isTrue to 9.4.2 to get rid of 400 critical vulnerabilities
• Use yarnTwo2 version 2 since yarn dev deletes your root folder by accident if you don't use a mac
• Sanitize user input in main.odin:123 to remove a critical vulnerability