Port Authority is an API service that delivers component based vulnerability assessments for Docker images at time of build and in run-time environments.
The Port Authority API is capable of orchestrating scans of individual public or private images as well as scanning entire private Docker registries like Docker Hub, Google Container Registry or Artifactory. To accomplish this, Port Authority breaks each Docker image into layers and sends it to the open source static analysis tool Clair in the backend to perform the scans and identify vulnerabilities. Upon completion of this workflow Port Authority maintains a manifest of the images and scan results.
Port Authority also supplies developers with customizable offerings to assist with the audit and governance of their container workloads. Port Authority provides a webhook that when leveraged by a Kubernetes admission controller will allow or deny deployments based off of user-defined policies and image attributes. Port Authority then achieves run-time inspection by integrating with Kubernetes to discover running containers and inventorying those deployed images for scanning.
-
Install Minikube
-
Start Minikube:
minikube start
NOTE: Supported Kubernetes versions (1.6.x - 1.9.x). Supported Clair versions v2.x.x.
-
Use Minikube Docker:
eval $(minikube docker-env)
-
Deploy official Port Authority stack:
make deploy-minikube
(Optional). Local developer build stack:
-
Use Minikube Docker:
eval $(minikube docker-env)
-
Get all Glide dependancies:
make deps
-
Deploy official Port Authority stack:
make deploy-minikube-dev
Different configuration adjustments can be made to the Port Authority deployment here: minikube/portauthority/portauthority/config.yml
✅ Add Docker Credentials used by the K8s Crawler scan feature
### Environment variables defined below are mapped to credentials used by the Kubernetes Crawler API (/v1/crawler/k8s)
### A 'Scan: true' flag will invoke their usage
k8scrawlcredentials:
# Use "" for basic auth on registries that do not require a username and password
- url: "docker.io" #basic auth is empty UN and PW
username: "DOCKER_USER"
password: "DOCKER_PASS"
- url: "gcr.io" #basic auth is empty UN and PW
username: "GCR_USER"
password: "GCR_PASS"
✅ Enable the Kubernetes Admission Controller and change webhooks default behavior
# Setting imagewebhookdefaultblock to true will set the imagewebhooks endpoint default behavior to block any images with policy violations.
# If it is set to false a user can change enable the behavior by setting the portauthority-webhook deployment annotation to true
imagewebhookdefaultblock: false
Port Authority is an API service. See our complete API Documentation for further configuration, usage, Postman collections and more.
We always welcome new PRs! See Contributing for further instructions.
Found something that doesn't seem right or have a feature request? Please open a new issue.
©2018 Target Brands, Inc.
**Credit Renee French for original golang gopher