cve-agent is a tool that periodically scans images in a cluster for known vulnerabilities.
cve-agent scans images one time per day by default. The scan result is stored can be accessed via HTTP.
$ kubectl apply -f kubernetesPort forward the cve-agent HTTP service to access the scan result.
$ kubectl port-forward service/cve-agent 8080:8080 &
$ Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
curl 127.0.0.1:8080
Handling connection for 8080The scan result is a JSON object with the following format:
{
"time": "2023-12-19T09:32:59.140210963Z",
"cveList": {
"docker.io/istio/pilot:1.20.1": [
{
"id": "CVE-2023-44487",
"severity": "HIGH",
"image": "docker.io/istio/pilot:1.20.1",
"link": "https://www.cvedetails.com/cve/CVE-2023-44487/"
},
{
"id": "CVE-2022-39388",
"severity": "LOW",
"image": "docker.io/istio/pilot:1.20.1",
"link": "https://www.cvedetails.com/cve/CVE-2022-39388/"
}
],
"docker.io/istio/proxyv2:1.20.1": [
{
"id": "CVE-2023-35945",
"severity": "MEDIUM",
"image": "docker.io/istio/proxyv2:1.20.1",
"link": "https://www.cvedetails.com/cve/CVE-2023-35945/"
},
{
"id": "CVE-2023-35942",
"severity": "HIGH",
"image": "docker.io/istio/proxyv2:1.20.1",
"link": "https://www.cvedetails.com/cve/CVE-2023-35942/"
}
]
}
}