Aqua Security, a pioneering force in cloud native security, has extended its open-source solution, Trivy, to support the scanning of vulnerabilities in Kubernetes components. This groundbreaking initiative, which also encompasses the establishment of a Kubernetes Bill of Materials (KBOM), allows companies to ascertain which elements constitute their Kubernetes environment, offering increased understanding of their security parameters and thereby helping to mitigate risk.
Around the globe, Kubernetes implementations are now an attribute of many enterprises. However, security considerations present concerns for over half of these organisations, particularly regarding vulnerabilities and misconfigurations, as stated by Red Hat. Existing infrastructure scanners have been limited to identifying misconfigurations, with the ability to recognise Kubernetes component vulnerabilities beyond their scope. Trivy now fills this gap with an industry-first breakthrough.
Aqua Security had already expanded Trivy's capabilities earlier in 2023 to include KBOM generation, which functions similarly to a software bill of materials (SBOM), detailing every significant component of a Kubernetes cluster. These encompass control plane components, node components, and add-ons, detailing their versions and images. In utilising KBOM, Aqua Trivy provides its users with the means to review the evolution of their cluster security, identify potential security threats, and make informed decisions regarding the upgrade of cluster components.
Itay Shakury, Vice President of Open Source at Aqua Security, emphasised the critical role of KBOM in infrastructure security, comparable to SBOM in application security. "Now, with the ability to scan the actual Kubernetes infrastructure, in addition to workloads and images, we are working toward the industry’s first complete Kubernetes vulnerability scanner," he said.
The introduction of Kubernetes vulnerability scanning to Trivy extends the capabilities of this popular tool, widely known for identifying vulnerabilities and risks. The tool's reputation is reinforced by 20,000 GitHub stars and a committed community of users and contributors.
Visibility from KBOM generation and component vulnerability scanning is not exclusively beneficial for companies operating their own Kubernetes environments. It is also vital for organisations employing a managed Kubernetes service, providing them with the requisite insight to gauge whether service providers are utilising vulnerable components which could pose potential risks.
Aqua Security encourages developers to test Aqua Trivy's KBOM generation capabilities to scan their cluster resources for vulnerabilities and offer feedback to enhance overall user experience. In late November, all KBOM features will become commercially available as part of Aqua’s Kubernetes Security Posture Management solution (KSPM) and as part of the Aqua Platform.