Initial thoughts and ideas

[ckotzbauer]

Sources

• Load SBOMs from Git-Repository (previously created from sbom-operator)
• Cron-Trigger (like sbom-operator)
• Webhook-Trigger (e.g. called from sbom-operator)

Targets

• Prometheus-Metrics (⚠️ needs more specification)
• Messaging (How to avoid sending the same messages for found CVEs on each scan?)
• Report generation
  • READMEs
  • Web-Report served from vulnerability-operator itself or uploaded to a destination
  • JSON-Report served from vulnerability-operator itself
• PolicyReport-CRDs (maybe there's a way to include this in Kyverno's Policy-Reporter)

Scanning

• Integrate grype-golang (https://github.com/anchore/grype/blob/v0.32.0/cmd/root.go)

CVE-Filtering-Options

• Only fixed
• Severity-Threshold
• Ignorelist

Build / Security

• GoReleaser
• Release-Pipeline from https://github.com/ckotzbauer/actions-toolkit/blob/main/.github/workflows/toolkit-release-goreleaser.yml
• OIDC-signed artifacts and images via cosign
• SBOMs
• SLSA provenance
• Docker-Image from scratch

Deployment

• Plain Kubernetes-YAMLs
• Helm-Chart
• Built-in (but optional) ServiceMonitor for Prometheus-Operator CRD

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label with /remove-lifecycle stale or comment or this will be closed in 5 days.