/kritis

Primary LanguageGoApache License 2.0Apache-2.0

Kritis

Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, and in a subsequent release, Grafeas.

Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been whitelisted:

imageWhitelist:
- gcr.io/my-project/whitelist-image@sha256:<DIGEST>
packageVulnerabilityPolicy:
  maximumSeverity: HIGH
  whitelistCVEs:
    providers/goog-vulnz/notes/CVE-2017-1000082
    providers/goog-vulnz/notes/CVE-2017-1000082

In addition to the enforcement this project also contains signers that can be use to create Grafeas Attestation Occurrences to be used in other enforcement systems like Binary Authorization. For details see Kritis Signer.

Getting Started

Contributing

See CONTRIBUTING for details on how you can contribute.

See DEVELOPMENT for details on the development and testing workflow.

License

Kritis is under the Apache 2.0 license. See the LICENSE file for details.