Skip to content

Instantly share code, notes, and snippets.

@rverchere
Last active January 5, 2022 05:08
Show Gist options
  • Save rverchere/6ea6b7f6f51e81cdab06660e83783387 to your computer and use it in GitHub Desktop.
Save rverchere/6ea6b7f6f51e81cdab06660e83783387 to your computer and use it in GitHub Desktop.
Kubernetes pod CVE vulnerability check
#!/usr/bin/env bash
RED='\033[0;31m'
NC='\033[0m'
OLDIFS="$IFS"
IFS=$'\n'
VULN=$1
# $1 arg is the CVE number to check
if [ -z $1 ]; then
echo -e "usage: $0 CVE-NUMBER (i.e: './k8s_vuln.sh CVE-2021-44228')"
exit
fi
# Check command existence before using it
if ! command -v trivy &> /dev/null; then
echo "trivy not found, please install it"
exit
fi
if ! command -v kubectl &> /dev/null; then
echo "kubectl not found, please install it"
exit
fi
# CVE-2021-44228
echo "Scanning $1..."
namespaces=`kubectl get ns | cut -d' ' -f 1 | tail -n+2`
for ns in ${namespaces}; do
echo "- scanning in namespace ${ns}"
imgs=`kubectl get pods,deployments,daemonsets,statefulsets,jobs,cronjobs -n ${ns} -o jsonpath='{range .items[*]}{.spec.containers[*].image}{" "}' | tr " " "\n" | sort -u`
for img in ${imgs}; do
echo " scanning ${img}"
result=`trivy -q image --light --no-progress --severity CRITICAL ${img}`
if echo ${result} | grep -q "$1" ; then
echo -e " ${RED}${img} is vulnerable, please patch!${NC}"
fi
done
done
IFS="$OLDIFS"
@steve-heslouin
Copy link

steve-heslouin commented Dec 13, 2021

this script should make sure that $1 is set, otherwise user may believe that every single image is vulnerable.

Done

@eloo
Copy link

eloo commented Dec 15, 2021

L11 the usage has an error in the script name..
vuln_k8s.sh should be k8s_vuln.sh

Corrected!

@MohdRashid01
Copy link

MohdRashid01 commented Dec 15, 2021

vuln_k8s.sh should be k8s_vuln.sh need to update
scanning getting struck at namespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment