Last active
January 5, 2022 05:08
-
-
Save rverchere/6ea6b7f6f51e81cdab06660e83783387 to your computer and use it in GitHub Desktop.
Kubernetes pod CVE vulnerability check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
RED='\033[0;31m' | |
NC='\033[0m' | |
OLDIFS="$IFS" | |
IFS=$'\n' | |
VULN=$1 | |
# $1 arg is the CVE number to check | |
if [ -z $1 ]; then | |
echo -e "usage: $0 CVE-NUMBER (i.e: './k8s_vuln.sh CVE-2021-44228')" | |
exit | |
fi | |
# Check command existence before using it | |
if ! command -v trivy &> /dev/null; then | |
echo "trivy not found, please install it" | |
exit | |
fi | |
if ! command -v kubectl &> /dev/null; then | |
echo "kubectl not found, please install it" | |
exit | |
fi | |
# CVE-2021-44228 | |
echo "Scanning $1..." | |
namespaces=`kubectl get ns | cut -d' ' -f 1 | tail -n+2` | |
for ns in ${namespaces}; do | |
echo "- scanning in namespace ${ns}" | |
imgs=`kubectl get pods,deployments,daemonsets,statefulsets,jobs,cronjobs -n ${ns} -o jsonpath='{range .items[*]}{.spec.containers[*].image}{" "}' | tr " " "\n" | sort -u` | |
for img in ${imgs}; do | |
echo " scanning ${img}" | |
result=`trivy -q image --light --no-progress --severity CRITICAL ${img}` | |
if echo ${result} | grep -q "$1" ; then | |
echo -e " ${RED}${img} is vulnerable, please patch!${NC}" | |
fi | |
done | |
done | |
IFS="$OLDIFS" |
this script should make sure that $1 is set, otherwise user may believe that every single image is vulnerable.
Done
L11 the usage has an error in the script name..
vuln_k8s.sh
should bek8s_vuln.sh
Corrected!
vuln_k8s.sh should be k8s_vuln.sh need to update
scanning getting struck at namespace
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Corrected
L22: Maybe
-A
would be a good idea to scan all namespaces