Skip to content

New User Guide

Overview

Security Emphasis

Security is a foundational principle of Kube CINC Secure Scanner. This guide establishes secure practices from the beginning, ensuring your implementation follows security best practices from day one.

This learning path guides you through setting up and using Kube CINC Secure Scanner for the first time. By completing this path, you will understand how to deploy the scanner, run your first security scan, and interpret the results while maintaining a strong security posture.

Time to complete: 45-60 minutes

Target audience: New users, DevOps engineers, Security professionals

Security level: Basic

Prerequisites

  • A running Kubernetes cluster (minikube, kind, or production cluster)
  • kubectl configured to access your cluster
  • Basic understanding of Kubernetes concepts (pods, deployments, namespaces)

Kubernetes Setup

If you don't have a Kubernetes cluster set up, follow our Minikube Setup Guide to create a local environment. For existing clusters, check our Existing Cluster Requirements to ensure compatibility.

Learning Path Steps

Step 1: Environment Setup

Security Consideration

Always use separate namespaces for scanner components to implement proper isolation and follow the principle of least privilege.

In this step, you'll set up your environment to run Kube CINC Secure Scanner.

Clone Repository

1
2
git clone https://github.com/mitre/kube-secure-scanner.git
cd kube-secure-scanner

Set Up Minikube

1
./kubernetes-scripts/setup-minikube.sh

Verify Setup

1
kubectl get pods -A
  • Setup started
  • Repository cloned
  • Minikube running
  • First scan completed

Estimated time: 10 minutes

Success criteria: Minikube is running and you can see pods in the kube-system namespace.

Step 2: Understanding Scanner Approaches

Security Consideration

Different scanning approaches have different security implications. Understanding these is crucial for making appropriate implementation decisions.

Kube CINC Secure Scanner supports multiple approaches for scanning containers:

  • Documentation

    Review the approaches documentation:

  • Scanning Approaches

    Kubernetes API Approach

    • Most common approach
    • Uses train-k8s-container transport
    • Best for standard containers
    • Learn more

    Process Namespace Sharing

    • Enhanced isolation
    • Requires pod modifications
    • Works with any container type
    • Learn more

    Ephemeral Container Approach

    • Designed for distroless containers
    • Requires K8s 1.16+ with ephemeral containers
    • No changes to target containers
    • Learn more
  • Setup started
  • Repository cloned
  • Minikube running
  • Approaches reviewed
  • First scan completed

Estimated time: 15 minutes

Success criteria: You can explain the different scanning approaches and their security implications.

Step 3: Running Your First Scan

Security Consideration

Start with scanning in a non-production environment until you're comfortable with the process and have validated the security implications.

Now you'll run your first container security scan:

  1. Create a test pod:
1
kubectl apply -f test-pod.yaml
  1. Wait for the pod to be ready:
1
kubectl get pods
  1. Run a scan using the standard approach:
1
./kubernetes-scripts/scan-container.sh default test-pod test-container examples/cinc-profiles/container-baseline
  1. Review the scan results:
1
2
# Results are stored in JSON format
cat results/container-scan-results.json

Estimated time: 15 minutes

Success criteria: You've successfully scanned a container and can view the security assessment results.

Step 4: Understanding Scan Results

Security Consideration

Learn to interpret results correctly to avoid false negatives that could leave vulnerabilities unaddressed.

  1. Open and examine the scan results:
  2. Identify the controls that passed and failed
  3. Understand the severity levels

  4. Note recommendations for remediation

  5. Learn about thresholds and how they're used to determine scan pass/fail:

  6. Basic Thresholds
  7. Advanced Thresholds

Estimated time: 10 minutes

Success criteria: You can interpret scan results and understand what actions might be needed to address findings.

Security Considerations

This section provides a comprehensive overview of security considerations for new users:

  • Always use the principle of least privilege when configuring RBAC for the scanner
  • Consider using namespaces to isolate scanner components from your application
  • Evaluate the security implications of each scanning approach before implementation
  • Ensure scan results are securely stored and not exposed to unauthorized users
  • Consider integrating scanning into your CI/CD pipeline for continuous security assessment

Compliance Relevance

This learning path helps address the following compliance requirements:

  • Container Security - Establishes a foundation for systematic container security assessment
  • Configuration Compliance - Helps identify misconfigurations that could violate compliance requirements
  • Continuous Monitoring - Sets up a process for ongoing security monitoring

Next Steps

After completing this learning path, consider: