Skip to content

Container Security Scanning Roadmap

This document outlines the completed components and future development plans for our Kubernetes container security scanning solution.

Completed Components

Core Infrastructure

  • RBAC Configuration

    • Least-privilege role-based access
    • Service account setup
    • Token management
    • Both resource-name and label-based access

  • Scanning Scripts

    • scan-container.sh for standard containers
    • scan-distroless-container.sh for distroless containers (with placeholders)
    • generate-kubeconfig.sh for credential management
    • setup-minikube.sh for local testing

  • Initial Distroless Container Support

    • Proof of concept for distroless scanning with ephemeral containers
    • Documentation of distroless container challenges and approaches
    • Support in setup-minikube.sh with --with-distroless flag
    • Distroless Helm chart with ephemeral container configuration

  • Kubernetes Resources

    • Namespace configuration
    • Test pods for demonstration
    • ServiceAccount and Role templates
    • RoleBinding templates

Helm Chart Implementation

  • Modular Chart Structure

    • scanner-infrastructure: Core RBAC, service accounts, tokens
    • common-scanner: Common scanning components and utilities
    • standard-scanner: Standard container scanning
    • distroless-scanner: Distroless container scanning with ephemeral containers

  • Chart Features

    • Proper dependencies between charts
    • ConfigMaps for scripts and utilities
    • Well-documented values.yaml
    • README files for each chart

  • Helper Utilities

    • install-all.sh for easy deployment
    • Example values for different environments
    • SAF CLI integration in charts

Documentation

  • Core Documentation

    • Project overview and architecture
    • RBAC and service account setup
    • Token management
    • SAF CLI integration guide

  • Integration Guides

    • GitHub Actions workflows
    • GitLab CI pipelines
    • SAF CLI threshold configuration
    • Helper scripts vs. direct commands

CI/CD Integration

  • GitHub Actions

    • Basic setup and scan workflow
    • Dynamic RBAC scanning workflow
    • CI/CD pipeline workflow

  • GitLab CI

    • Complete pipeline example
    • Multi-stage process with cleanup

Planned Components

Distroless Container Scanning (Dual Approach Demonstration)

  • Approach 1: Modified Train-k8s-container Plugin (Enterprise Solution)

    • Fork and modify the train-k8s-container plugin for native distroless support
    • Add ephemeral container detection and fallback
    • Implement direct filesystem access through debug container
    • Modify connection and exec client classes
    • Create streamlined user experience with consistent commands

  • Approach 2: CINC Auditor in Debug Container (Working Prototype)

    • Create initial script with placeholder code (scan-distroless-container.sh)
    • Document the approach for ephemeral container usage
    • Create specialized debug container with CINC Auditor pre-installed
    • Implement chroot-based filesystem access to target container
    • Bridge results back to host system
    • Fully document the approach's tradeoffs and use cases

  • Approach 3: Sidecar Container with Shared Process Namespace (Working Solution)

    • Create script for sidecar deployment and scanning
    • Implement process detection and filesystem access
    • Create Helm chart for sidecar container approach
    • Document the sidecar approach thoroughly
    • Create CI/CD integration examples

  • Comparative Analysis

    • Benchmark performance of all approaches
    • Document security implications of each approach
    • Create decision matrix for solution selection
    • Develop recommendation for enterprise environments

Enhanced Architecture Documentation

  • System Architecture Documentation

    • Container interaction flow diagrams
    • Security model diagrams
    • Sequence diagrams for each approach
    • Component diagrams showing interactions

  • Security Analysis Documentation

    • Risk analysis of container scanning approaches
    • Threat modeling for all distroless approaches
    • Security controls and mitigations
    • Privilege minimization techniques

  • Decision Support Documentation

    • Pros and cons analysis of all approaches
    • Total cost of ownership considerations
    • Maintenance and support implications
    • Formal recommendation document for stakeholders

  • Additional Guides

    • Advanced RBAC configurations
    • Custom profile development
    • Integrating with vulnerability scanners

  • Tutorials

    • End-to-end scanning tutorial
    • Custom profile development tutorial
    • Integrating results with security dashboards

Testing and Validation

  • Container Type Testing

    • Test with Google's distroless images
    • Test with custom minimalist containers
    • Test with different language runtimes (Go, Java, Python)

  • Performance Optimization

    • Measure and optimize scan times
    • Reduce resource usage during scans
    • Optimize startup time
    • Compare performance metrics between approaches

Extended CI/CD Examples

  • Distroless Container CI/CD Integration

    • GitHub Actions workflow for Approach 1 (modified plugin)
    • GitHub Actions workflow for Approach 2 (debug container method)
    • GitHub Actions workflow for Approach 3 (sidecar method)
    • GitLab CI pipeline for Approach 2 and Approach 3
    • Jenkins pipeline example

  • CI/CD Enhancements

    • Dedicated distroless scanning GitHub Actions workflow
    • Dedicated distroless scanning GitLab CI pipeline
    • Integration with vulnerability scanning tools
    • End-to-end security pipeline examples

Roadmap Timeline

Phase 1: Core Functionality (100% Complete)

  • Basic container scanning with RBAC
  • Helper scripts for standard workflows
  • GitHub and GitLab integration

Phase 2: Enhanced Capabilities (100% Complete)

  • Modular Helm chart implementation
  • SAF CLI integration
  • Threshold configuration
  • Documentation improvements

Phase 3: Distroless Container Support (90% Complete)

  • Implemented multiple demonstration approaches:
    • Approach 1: Modified train-k8s-container plugin (20% complete)
    • Approach 2: CINC Auditor in debug container with chroot (100% complete)
    • Approach 3: Sidecar container with shared process namespace (100% complete)
  • Enhanced documentation with architectural diagrams
  • Created security risk analysis for all approaches
  • Provided clear recommendations for decision makers
  • Developed comprehensive documentation and comparison resources

Phase 4: Documentation and Integration Enhancement (95% Complete)

  • Comprehensive documentation reorganization
  • MkDocs with Material theme implementation
  • Enhanced navigation and cross-references
  • Complete guide for all scanning approaches
  • Improved integration examples and CI/CD workflows

Phase 5: Advanced Features (Planned for Q3 2025)

  • Automated remediation suggestions
  • Integration with security dashboards
  • Enterprise-grade customization options
  • Additional CI/CD platform support
  • Integration with vulnerability scanning tools

Project Status

  • Overall Project Completion: ~90%
  • Documentation Completion: 95%
  • Core Functionality: 100%
  • Testing Coverage: 70%
  • Next Major Milestone: Complete Approach 1 implementation and v1.0.0 release
  • Target Release Date: May 2025