Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Viewing security insights
Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) automatically triggers an on-push pipeline when you update your code and push changes. By default, it uses a standard build pipeline for containerized deployment according to the Software Artifacts (SLSA) level 3 specifications.
Figure 4.1. A successful pipeline run
The pipeline run performs the following tasks:
-
init: Configures rebuild flags and authentication. Creates an image repository secret. -
clone-repository: Clones the repository to prepare for the build. build-container:- Creates a container image from the source code using Buildah and pushes it to a registry.
- Generates a Software Bill of Materials (SBOM) to document all components and dependencies.
- Publishes security artifacts like image signatures and attestations.
-
update-deployment: Updates the GitOps repository to deploy the latest image. -
acs-image-check,acs-image-scan, andacs-deploy-checktasks: Each task runs a security check to ensure compliance with policies. -
show-sbom: Creates a complete list of the software components and libraries for transparency purposes. -
summary: Cleans up resources and provides a summary of the pipeline run.
Click any task in a pipeline run to view logs.
Prerequisites
-
The
build-containerandshow-sbomtasks ran successfully (for downloading the SBOM).
Procedure
- Select Catalog.
- Select the component you want to review.
- Select the CI tab > Actions column > View output icon.
Review the detailed RHACS reports for the selected component.
Figure 4.2. The detailed RHACS reports
NoteIf you have the required permissions, you can manage vulnerabilities, policies, and review detailed vulnerability reports for a specific image in the RHACS console. For more information, see Viewing the dashboard.
- Select the CI tab.
-
Select the link icon for the
show-sbomtask. The UI displays the SBOM task logs. Review the SBOM in your browser and search for vulnerabilities such as
log4j.Figure 4.3. The SBOM details
-
(Optional) To download the SBOM in the CLI: Expand the successful pipeline run and select the
show-summarytask. - Search and copy the SBOM image URL.
Run the following command on your terminal:
$ cosign download sbom <the_sbom_url_you_copied>(Optional) To save the output to a file for detailed analysis, run the following command:
$ cosign download sbom <the_sbom_url_you_copied> > sbom.txt
4.1. About Red Hat Advanced Cluster Security reports
Reports from RHACS tasks give you security insights to help you maintain strong security.
Interpreting roxctl image scan (Image Scan) reports involve the following information:
- Vulnerability Breakdown: RHACS categorizes detected vulnerabilities by severity (Critical, Important, Moderate, Low), and status (fixable, nonfixable). Then, it offers a summary of the scan results. This categorization includes the total number of vulnerabilities and components analyzed with specific Common Vulnerabilities and Exposures (CVEs) identified.
Details Provided: For each identified vulnerability the report includes:
- CVE ID: A unique identifier for the vulnerability.
- Severity: The level of threat posed by the vulnerability.
- Component: The software component affected by the vulnerability.
- Component Version: The version of the affected component.
- Remediation Suggestions: Recommendations for addressing the vulnerability, including the fixed version if available.
You can use the same approach for roxctl image check (Image Check) and roxctl deployment check (Deployment Check) reports.
4.2. About pipeline security tasks
When you install and configure the Red Hat Advanced Cluster Security (RHACS) during Red Hat Advanced Developer Suite - software supply chain )RHADS - SSC) installation, the pipeline runs security tasks. Otherwise, the pipeline skips these steps.
- For detailed instructions on installing RHACS, refer Installing Red Hat Advanced Cluster Security for Kubernetes.
- If you did not install and configure RHACS during the RHADS - SSC installation process, refer Configure ACS.
Figure 4.4. The RHACS tasks in the pipeline run
Three RHACS pipeline tasks use roxctl to run security checks:
-
roxctl image scan: Identifies components and vulnerabilities in the image and generates results in JSON format. -
roxctl image check: Verifies build-time security violations in the image. For example, policies such as 'No log4j allowed' or restrictions against includingcurl,wget, or package managers in production images. -
roxctl deployment check: Checks for build-time and deploy-time security violations in the YAML deployment files.
The Pipeline Runs section under the CI tab in RHDH displays detailed task reports. The pop-up interface displays the following items:
- Red Hat Advanced Cluster Security (conditionally shown on the availability of RHACS tasks): Displays individual tabs for all the RHACS tasks, summarizing identified security issues.
-
Others: Provides results from the
PipelineRun. For example,IMAGE_URL, andIMAGE_DIGEST. The UI only displays this section when the pop-up contains additional information (for example, Conforma or RHACS).
4.3. About Software Bill of Materials (SBOMs)
The show-sbom task creates a list of all software libraries used in the application. This list helps identify vulnerabilities and assess security impacts.
Figure 4.5. The show-sbom task in the pipeline run
The SBOM includes information about each library used in your project, such as:
- The source of the library, author, or publisher
- The library name
- The library version
- The license type
This information helps ensure that you use safely-sourced, updated, and compliant libraries. The following JSON file is a partial example of an SBOM:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
"version": 1,
"metadata": {
...
},
"components": [
{
"bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
"type": "library",
"author": "Armin Ronacher <armin.ronacher@active-4.com>",
"name": "Flask",
"version": "2.1.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/Flask@2.1.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
...
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}