►
From YouTube: First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs
Description
First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs, Aqua Security
A key element of successfully integrating security into the DevOps lifecycle is embedding it right from the start. Helping developers and operators build security controls in from day-one with easy to use open source tooling can make that a reality. This workshop will take a hands-on approach to demonstrate how to install, configure and customize open source security tools to be used throughout the DevOps process. The workshop will focus on a couple of core tools. Firstly understanding how Trivy can be used to help secure container images, Dockerfiles, Kubernetes manifests and IaC code such as Terraform. Then the workshop will move on to operationalizing security controls using Starboard to automate the operation of Trivy and other security tools, providing continuous security assurance of workloads and Kubernetes clusters.
A
B
C
A
C
Yeah
so
yeah
we're
going
to
talk
about
full
life
cycle
security
and
we're
going
to
show
you
some
tools
on
how
you
can
get
started
now,
if
you're
sitting
in
a
front
and
you're
taking
table
space
and
you're
not
participating,
it
would
be
great
if
you
can
make
space
for
other
people
who
want
to
participate
and
sit
on
the
tables
just
fyi.
So
if
you're
just
checking
emails,
then
please
make
space
for
others,
otherwise
yeah.
If
you
want
to
join
and
participate
in
the
workshop,
then
here's
spaces
in
the
front
as
well.
C
First,
okay,
so
my
name
is
anis
orlis,
I'm
the
open
source
developer
advocate
at
aqua
security,
I'm
also
a
cncf
ambassador.
I
got
started
in
the
devops
space
at
the
end
of
2020.
I
worked
as
developer
advocate
and
then
a
site,
reliability,
engineer
and
now
joined
aqua.
I
also
have
a
youtube
channel
where
I
talk
about
kubernetes
and
cloud
native
tools.
If
you're
curious
about
that
check
it
out.
B
And
I'm
rory,
I'm
a
cloud
native
security
advocate
aqua.
My
background's
perhaps
slightly
different
a
lot
of
people's
I'm
I'm
from
the
infosec
slash
pen,
test
world.
I
was
a
pen
tester
before
I
did.
This
I've
been
doing
security
for
a
while
now
and
you
can
generally
find
me
on
twitter,
github
and
anywhere
else
as
racine,
and
I
will
give
a
sticker
to
anyone.
Who
knows
why
racine
and
you
need
to
be
in
a
kind
of
role-playing
game
person
for
the
mid-2000s
you're
going
to
answer
that
question
without
googling.
B
B
Highly
workshop
objectives,
we've
kind
of
got
three
things
we
want
to
cover
across.
We
want
to
talk
a
little
bit
about
how
you
can
use
tools
at
various
different
parts
of
the
development
lifecycle.
So
the
idea
of
this
workshop
is
we're
trying
to
help
people
who
maybe
haven't
done
a
lot
of
this
before
who
want
to
work
out
where
they
can
get
started
with
some
ideas
of
what
you
can
do,
the
commands
you
can
use
and
we're
going
to
give
you
the
examples
we've
got.
B
There
are
others
three
stages
in
the
development
process,
things
that
can
be
done
in
development.
So
what
can
you
do
in
development
during
the
development
process?
Then
things
you
might
want
to
do
in
ci,
cd
and
we'll
talk
a
bit
about
that?
We
won't
do
as
hands-on
for
that,
because
it's
kind
of
difficult
to
get
everyone
start
setting
up
their
own
ci
cd
in
the
middle
of
a
workshop.
We're
not
that
long
and
then
about
we're.
B
B
Course,
prereqs
in
terms
of,
if
you
want
to
follow
along
things,
you
will
need,
during
the
workshop
some
form
of
cuban
local
kubernetes
cluster
kind,
mini
cube
mic.
Anything
which
does
kubernetes
should
be
fine
if
it's
based
on
qbadm,
which
all
of
these
are,
it
will
probably
work
best
and
the
ability
to
download
and
run
binaries
in
one
of
those
operating
systems.
B
So
if
you've
got
windows,
wsl
will
work.
Fine
or
a
vm
will
work.
Fine,
linux,
macos,
freebsd,
apparently
as
well.
So
if
you're
very
unlikely
that
you
have
a
freebsd
laptop,
but
if
you
do,
then
this
will
also
work
so
yeah
any
of
those
setups,
obviously
don't
use
production
clusters
for
this,
because
we
will
be
installing
tools
and
running
them,
and
people
will
be
very
annoyed
with
you
if
you're
doing
production
so
test
clusters
are
advised.
B
And
right,
this
is
the
most
important
slide.
This
is
one
if
you're
going
to
take
pictures
of
slides.
I
would
thoroughly
recommend
taking
a
picture
of
this
slide
ground
rules,
and
this
is
already
mentioned-
yeah
people
up
front.
If
you're
going
to
do
workshop
stuff,
please
do
use
the
desks
at
the
front
also
phone's
in
tower,
but
I
think
everyone's
been
good
for
that
already
at
the
conference
materials.
The
slides
for
this
talk
are
at
slides.poundland.uk.
B
The
commands
for
this
and
I'll
show
you
in
a
second.
What
that
looks
like
are
at
commands.coundland.uk
and
the
setup
notes.
Just
notes
for
if
you're
going
to
do
stuff
are
at
setup,
do
unloading
dot
uk,
and
this
is
because
I
hoard
domain
names
and
that's
a
domain
name.
I
wasn't
using
for
anything,
which
is
why
I
put
in
lint
dot,
uk
but
I'll
show
you
the
oh
yeah.
B
B
So
and
then
what
we'll
do
is
we'll
have
a
quick
look
at
this.
Am
I
network
okay?
So
this
is
what
the
commands
file
look
like
and
basically
what
you've
got
here
is
at
this
top.
This
is
the
the
title
of
the
slide
will
be
on.
So,
if
you're
looking
for
like,
what's
the
right
command,
I'm
going
to
copy
paste,
this
is
in
case
you
want
to
copy
paste
the
commands,
if
you
don't
type
them,
some
of
them
get
pretty
long
copy.
Pasting
them
is
pretty
easy
and
typing
is
going
to
be
error
prone.
B
B
So
what
we
might
do
now
is
we'll
kind
of
change
things
around
we'll
do
a
little
bit
of
installing
trivia
now,
so
that
people
want
to
do
it
that
you
have
the
time
to
like
get
it
down
and
working,
because
it
might
take
a
little
while
to
download
so
first
things
to
do.
If
you
go
to
commands.pundlund.uk.
B
Bring
that
back
up
for
everyone's
not
got
it
go
to
that
url
and
get
the
the
installation
url.
This
is
the
installation
for
trivia
which
we're
going
to
use
quite
heavily
in
the
first
part
of
this,
so
I'm
going
to
put
that
into
so.
There
are
various
ways
of
installing
trivia
which
we're
going
to
use
through
this,
and
there
should
be
something
which
works
for
whatever
operating
system.
You're
working
on
if
you're
doing
debian
ubuntu
just
getting
the
dev
will
work,
fine,
there's
stuff
for
arch
homebrew.
B
It
will
work
fine
if
you've
got
homebrew.
If
you've
got
nicks.
If
you've
got,
you
can
do
an
install
script.
If
you're
feeling
brave,
I
mean
obviously
generally
for
security,
don't
go
curling
stuff
off
the
internet
and
running
it,
but
if
you're
comfortable
doing
that,
then
that's
one
option
for
you.
You
can
also
get
binaries
archives
just
from
the
github
repo
and
you
can,
if
you're
feeling
super
fancy,
do
it
from
source.
You
can
even
do
it
from
docker
hub,
so
there's
a
whole
load
of
different
ways.
B
B
So
what
to
do
now,
if
you're
planning
to
to
kind
of
like
go
along
with
it
rather
than
just
watch,
go
on
to
that
page
find
the
installation
methods
that
work
for
you,
and
just
like
kind
of
do
that
in
the
background
and
we'll
do
some
slides
before
we
get
to
the
first
command.
So
hopefully,
that'll
give
everyone
enough
time
to
have
like
got
to
the
point
of
running
trivia.
C
B
So
we
can
do
that
too.
Okay
right,
so
hopefully
everyone
who
wants
those
urls
has
got
those
now
so
I'll
leave
those
up
for
a
couple
of
seconds
to
make
sure
everyone
who
hasn't
got
them.
Yet
the
commands
ones
put
the
main
one
and
the
slides
all
the
information
is
in
the
slides
as
well
as
well.
So
if
you
want
to
just
use
the
slides,
url
you'll
get
all
the
commands
there
just
kind
of
easier
to
get
about
that
commands.
B
Well,
so
security
and
development,
when
developers
are
writing
code,
what
are
the
kind
of
things
they
could
do
to
try
and
improve
security
in
every
talk,
you'll
get
about
about
kind
of
supply
chain
or
about
developer
security.
You'll
hear
the
phrase
shift
left
a
lot
and
it
is
a
buzzword,
but
it
is
true
and
the
reason
why
people
use
it
is
because
it
is
something
I
thoroughly
recommend
is
doing
security
checks
as
early
as
possible,
the
development
life
cycle
and,
if
you're,
a
developer
and
you're
thinking.
Why
should
I
do
this?
B
The
advantage
is,
it
means
security.
People
are
less
likely
to
shout
at
you
when
you
get
to
production,
because
if
you've
done
your
stuff
in
development
and
you've
fixed
the
things
that
you
want
to
fix,
you're
going
to
pass
things
like
admission
control
in
production
clusters,
much
more
easily
you're
not
going
to
get
a
nasty
surprise.
When
you
try
and
deploy-
and
someone
says
hey,
you
have
left
some
flag
that
you're
not
allowed
on
your
kubernetes
manifest
and
we're
not
allowing
that
to
go
into
production.
B
If
you've
done
this
up
front
and
we'll
show
you
it's
super
simple
super
easy
to
do,
you
can
actually
get
that
kind
of
like
ease
of,
like
you
know,
confidence
that
things
are
going
to
deploy.
Okay,
you're
not
going
to
get
told
hey!
You
can't
deploy
this,
so
we
can
do
vulnerability
scanning
and
we'll
talk
about
how
to
do
that
and
also
iec
scanning
right.
Everything's
infrastructure
is
code
everyone's
using
it
it's
great
for
scanning,
because
it
means
it's
easy
to
scan.
So
we're
going
to
talk
about
iec
scanning
as
well.
C
C
You
want
to
make
sure
that
you
know
what's
going
inside
those
resources
before
you
actually
start
using
them
so
before
development,
then
during
your
development
process
and
also
when
you're
then
ending
up
to
build,
for
example,
the
container
image
deployed
in
your
test
cluster
deployed
in
your
staging
cluster
so
before
deployment
in
your
cicd
pipeline,
as
well
as
after
enduring
deployment
also
in
production
and
we're
going
to
walk
you
through
all
those
different
aspects
and
steps.
During
your
development
life
cycle
of
where
you
can
use
security
scanning.
B
So
vulnerability
scanning,
so
we're
gonna,
start
off
with
vulnerability
scanning
and
we're
gonna
use
container
image,
vulnerability
scanning
tools,
it's
a
useful
way
of
assessing
base
images
right.
So,
if
you're
thinking,
I
want
to
write
an
application
and
I've
found
a
really
cool
base
image
on
docker
hub,
and
I
want
to
use
that
one
of
the
very
first
things
you
should
do
is
run
a
vulnerability
scanner
over
that
image.
B
B
It's
literally
just
open
source,
you
download
it,
you
do
anything,
you
want
with
it
download
the
code
fork
it
you
know
all
great.
So
how
do
vulnerability
scanners
work?
This
applies
to
generally
how
vulnerable
designs
get
all
vulnerability
scanners
work
because
they
can
be
a
bit
black
box
right.
You
run
this
tool,
you
split
all
the
results.
You're
like
how
did
that
work
and
the
answer
is
it's
actually
conceptually
fairly
simple
vulnerability.
B
Scanning
tools,
basically
look
for
two
classes
of
thing:
one:
they
look
for
operating
system
packages,
so
most
container
images
will
be
based
on
a
distribution
debian
alpine
rel
centos,
something
all
of
those
things
have
got
a
security
database.
The
security
database
says
this
version
of
this
package
has
got
these
vulnerabilities,
so
all
the
vulnerability
scanner
does.
Is
it
downloads
the
database?
It
runs
the
package
management
tool
inside
your
container
image
and
compares
them
right,
and
it
says
this
version
has
got
this
vulnerabilities.
This
is
the
one
you
got
installed.
B
Therefore,
you
have
all
of
these
vulnerabilities
conceptually
pretty
simple,
there's
a
lot
of
kind
of
complexity,
nuance,
but
the
basic
idea
is
pretty
simple
and
then
the
other
thing
that
most
of
the
vulnerability
scanning
tools
and
open
source
will
do
now
is
they'll
do
programming
language
package
scanning.
So
this
will
be
things
like
npm
rubygems.
B
They
can
also
look
for
vulnerabilities
in
your
libraries
and
again
well
worth
doing.
A
third
actually
mentioned
worth
mentioning.
Is
that
things
like
golang,
specifically
for
golang?
You
can
actually
scan
inside
the
binary
as
well.
So
golang
binaries
will
tell
you
what
versions
of
libraries
they
have.
So
you
don't.
You
know
you
can
get
that
information
out
of
a
binary
as
well.
So
again,
a
lot
of
the
scanners
will
do
that
and
it
will
assess
whether
there's
known
vulnerabilities
in
installed
versions.
B
There's
been
various
talks
about
like
how
do
I
know
if
this
vulnerability
actually
affects
my
image,
and
the
answer
is
that's
a
really
tricky,
in
my
opinion,
really
tricky
question
to
answer,
but
the
easiest
thing
to
do
is
to
try
and
get
as
few
vulnerabilities
as
possible
into
your
images
before
you
start
tweaking
production.
A
scanner
is
a
great
place
to
start
so
open
source
vulnerability
scanners.
There
are
lots,
we're
going
to
quit
trivia
because
there's
one
meaning
well,
that
does
not
mean
it's
the
only
one
available
you
can
get
trivia
gripe,
clear
sneak.
B
B
B
Needs
help
and
ace
is
happy
to
help
if
it's
just
the
conference
wi-fi
being
slow,
though
we
probably
can't
help.
4G
might
be
your
friend
if
you've
got
tethering
and
you
don't
have
data
limits
that
are
going
to
cost
a
lot
of
money.
So
yeah
there's
lots
of
different
ways.
You
can
install
this.
You
can
use
homebrew,
apt,
yeah,
hopefully
now
everyone's
kind
of
got.
We
got
to
that
point.
We've
got
stuff
installed,
so
we're
gonna,
we're
gonna
start
off.
Let's
start
off
with
scanning.
B
This
is
the
most
basic
form
of
vulnerability
scanning.
What
I've
got
here
is
there's
two
commands
up
on
the
screen.
The
first
one
is
trivia
I,
which
is
just
shorthand
for
image,
so
you
want
to
do
an
image
scan
and
then
the
image
you
want
to
scan,
notably
you
don't
actually
have
to
have
like
this
image
pulled
down
locally
for
this
to
work
it
will
it
does
it
stuff.
Anyway,
I've
got
two
up
there.
First
one
is
in
docker
hub.
B
The
second
one
is
in
the
ecr
mirror
of
docker
hub,
because
I
was
trying
to
work
out
whether
we
would
hit
docker
hub
limits.
So
I'm
thinking,
if
we
all
scan
a
boot
to
2004
docker
hub,
has
limits
rate
limits
and
we
might
all
get
kind
of
like
told
no
you're
not
doing
it.
So
if
you
do
get
like
a
rate,
limited
message
and
you're
doing
over
conference
wi-fi,
you
can
try
that
second
one,
because
that
one
should
not
be
rate
limited,
I'm
told.
B
Okay,
so
basically
it's
just
as
simple
as
that
and
it
will
what
you'll
get
back
is,
and
this
looks
kind
of
messy,
so
I'm
gonna,
I'm
gonna,
give
you
the
neat
clean
version,
which
means
I
have
to
make
it
a
bit
smaller.
But
let
me
just
show
you,
because
the
table
is
super
nice.
Looking
how
small
do
I
have
to
make
this
that
gonna
work?
B
Hey
see,
the
table
looks
really
nice.
If
you
make
your
screen
small
enough,
so
basically
what
you
get
back.
If
you
run
this
vulnerability
scanner
is
you
will
get
back
a
set
of
vulnerabilities,
it
will
tell
you
severity.
So
we've
got
13
lows,
six
mediums
no
highs
and
no
criticals,
which
is
good.
It
will
tell
you
what
cve
is
not
is
you
know
it
thinks.
Is
a
problem
it'll
tell
you
severity
it'll,
tell
you
the
install
package.
So
what
that's
telling
us
is
core
utils
version.
B
8.3
30-3,
ubuntu
2
is
installed
and
I
think
the
cve
is
present
and
that's
just
literally
based
on
checking
the
version
installed.
What
cvs
the
security
database
for
ubuntu
thinks
is
present
and
it'll.
Give
you
a
title
as
well,
and
also
we've
got
some
links
out.
If
you
want
to
read
more
about
it,
you
can
also
read
more
about
the
cv,
and
that
gives
us
a
nice
table.
So
if
you
just
want
to
like
look
at
it
and
get
an
idea
of
how
the
image
is,
that's
not
a
bad
option.
B
B
Try
to
run
it
and
it
worked
awesome
right,
fantastic.
This
is
going
better
than
expected.
I'm
honest
one
thing
I
found
out
for
any
other
presenters,
there's
ethernet
on
the
stand.
So,
if
you're
up
here,
you're,
okay,
because
we've
got
ethernet
so
fantastic,
that's
a
basic
scan
now.
The
first
thing
we're
going
to
get
to
next
is
something
which
is
important
for
ubuntu,
specifically
and
debian
images,
which
is
there
a
flag
which
you
will
want
to
have
on
your
vulnerability.
B
Scanner
called
ignore
unfixed,
and
what
this
does
is
both
debian
and
ubuntu
have
a
list
of
vulnerabilities
that
they
have
not
issued
a
patch
for
right.
So,
even
if
you
apt
to
get
apt
update
to
the
latest
version,
the
vulnerability
will
still
be
present,
and
that
is
generally
because
they
don't
think
it's
that
serious,
mostly
but
they're,
not
that
concerned
about
specific
vulnerability,
so
they
won't
fix
it.
B
So
what
you
can
do
with
trivi
is,
you
can
just
say,
minus
minus
ignore
unfixed
and
if
we
do
the
same
thing
so
last
time
we
had
it
was
at
19,
and
this
time
we
get
four
right.
So
a
lot
of
our
vulnerabilities
just
vanished,
so
the
first
question
you're
going
to
have
for
yourself
is:
do
I
want
to
run
ignore
on
fix
or
not
because
a
lot
people
might
say?
B
Well,
I
want
to
know
about
all
my
vulnerabilities,
but
let's
be
honest:
if
you
actually
used
any
old-school
vulnerability
assessment
tools
like
rapid7,
qualis
or
nessus,
all
of
them
effectively
do
ignore
unfixed.
They
won't
tell
you
there's
not
even
as
far
as
I
can
tell
an
option
to
turn
it
on.
So,
if
you're
doing
like
for
like
comparison
with
old-school
vulnerability
scanners,
I
personally
would
always
turn
on
ignore
and
fixed.
B
I
mean
you
can
turn
it
off
like
if
you
want
to
know
like
I
really
want
to
know
what's
present,
but
for
practical
purposes,
if
you're
in
an
enterprise
and
you're
trying
to
compare
it
with
other
tools,
I
personally
would
turn
it
just
put
ignore
and
fix
on.
You
get
a
much
more
sensible
list,
and
basically
there
is
one.
Today
there
is
one
vulnerability.
One
package
they
have
not
updated,
which
has
got
some
low
cvs,
you're,
probably
not
too
concerned
about
that.
You
could
say:
hey.
B
That's
a
great
image,
I'm
happy
to
use
that
now,
so
that's
ignore
and
fix
it's
an
important
one
to
recognize,
because
a
lot
of
people
get
quite
concerned
when
they
first
start
using
container
scanning
and
they
run
it
on
like
a
debian
image
or
ubuntu
image
and
they
get
tons
of
vulnerabilities
like
what's
going
on
here.
That's
the
answer!
B
So
next
thing
you
might
only
care
about
high
or
critical
vulnerabilities.
You
might
not
always
care
the
you
know.
Actually
this
vulnerability
is
like
a
medium
or
low
depending
on
your
organization,
depending
on
your
threat
model,
your
risk
posture
might
say:
I
only
want
to
know
about
stuff,
that's
super
serious
and
we
can
do
that
as
well
right.
So
what
we're
going
to
do
here
is
we're
going
to
do
trivia
image,
so
you
can
put
eye
or
image
either
will
work
and
you
can
just
tell
it
severity
and
say
hey.
B
I
only
want
to
know
about
highs
or
criticals,
and
then
I
only
want
to
know
about
vulnerability
type
os.
Do
you
remember
when
I
said,
there's
two
types
of
vulnerability
scanning
there's
operating
system
and
this
broadband
language
package?
This
is
only
going
to
look
for
stuff
in
the
operating
system.
It's
that
you
know.
So,
if
there's
an
npm
there,
it
won't
look.
If
there's
rubygems,
it
won't
look.
So
you
can
fine-tune
your
scan
depending
on
what
your
role
is.
Maybe
you're
thinking
I'm
responsible
for
base
images,
I'm
not
responsible
for
the
app
devs
cool.
B
So,
if
you're
going
along
again,
I
would
probably
copy
paste
these
out
the
commands.
It's
going
to
be
easiest,
you
can
type
if
you're
feeling
super
confident.
I
personally,
as
you
can
tell
I'm
not
confident
enough
in
my
typing
on
stage,
so
I'm
just
going
to
copy
paste
and
if
we
run
that
it
will
yeah.
So
this
particular
image
has
a
lot
of
vulnerabilities
in
it,
and
this
is
what
I'm
saying
you'll
see.
This
is
older
images
you
can,
you
can
end
up.
This
has
got.
What
even
is
that
a
large
number?
B
When
I
did
my
when
I
got
these
slides
ready
last
week,
we
now
have
secret
scaring.
Apparently
this
one.
That's
a
good
example
of
how
secret
scanning
can
be
a
bit
tricky
because
that's
obviously
a
dummy
key,
because
you
can
tell
because
it
says,
sir
snake
oil-
that's
just
a
dummy
key,
but
it's
a
good
example
of
that.
You
can
also
use
this
for
secret
scanning.
We're
not
going
to
talk
too
much
about
that
at
this
in
this,
but
because
it's
just
literally
turned
up
but
useful
to
know
as
well.
B
B
B
Clear
and
I'm
hearing
clear,
yep
awesome,
everything's
clear
either
that
or
everyone's
stunned
into
sounds
or
struggling
with
conference
wi-fi.
So
just
to
give
the
example
of
you
can
also
do
you
can
also
do
library,
so
we
can.
We
can
flick
that
route
right.
So
maybe
I
am
someone
who
does
not
care
about
the
base
images.
I
only
care
about
the
stuff.
That's
in
the
package,
libraries,
I'm
a
I'm
an
app
developer,
I'm
not
in
charge
of
maintaining
images,
so
you
can
just
say
volume
type,
library,.
C
The
high
and
critical
flag
are
also
really
useful
and
we're
going
to
dive
into
more
detail
on
that
when
we
are
at
the
cicd
part.
But
if
you
want
to
have
checks
before
deploying
any
container
image
to
production
or
to
your
staging
environment
or
so
on,
then
you
can
basically
make
sure
that
the
pipeline
fails.
If
there's
certain
types
of
vulnerabilities,
yeah
actually.
B
B
It's
a
bit
of
a
tricky
topic,
because
what
is
high
in
cvss
or
critical
in
cvss,
your
your
particular
organization
may
or
may
not
care,
but
it's
unfortunately,
the
only
like
if
you're
just
getting
like
you're
doing
something
generally
like
a
tool.
You
can't
pick
out
like
what
an
individual
organization's
version
of
severe
severity
is
so
cbss
is
at
the
moment
anyway.
The
most
generally
accepted
way
of
scoring
vulnerabilities
and
and
the
high
critical
thing
just
relates
to
exactly
what
the
cbss
score
is.
B
So
another
thing
you
can
do
another
way
of
using
trivia
another
way
of
potentially
doing
vulnerability,
scanning
and
development
is
say
you
think
I
would
like
to
download
and
install
a
package
from
github
right.
I
want
to
go
and
get
this
repository.
I
think
this
is
a
cool
tool
and
I
want
to
have
a
look
at
it
before
you
do
that.
You
might
think
well,
let's
just
check
and
see
if
this
package
is
well
maintained.
B
I
know
okay,
you
could
go
and
read
the
the
files
yourself
look
at
the
change
log
and
work
it
out
or
you
can
just
run
a
repo
scan.
So
trivia
will
happily
scan
github
repositories
and
we
can
just
get.
We
can
tell
what
vulnerability
type
we're
looking
for
in
this
case
library,
and
then
we
just
give
it
a
url
so
get
up
url
any
github
will
work.
B
Let's
complete
that,
so
this
will
just
go
and
get
go
to
github
and
pull
down
the
repository
scan
it
and
what
it's
doing
and
I'll
show
you
what
it's
doing
when
it's
done
and
you
get
back
a
ton
of
vulnerabilities.
The
reason
being
this
is
a
relatively
old
rails,
app
that
I
built
last
year
and
vulnerabilities
stack
up
super
fast
in
that
area.
But
let
me
just
show
you
what
it's
doing
so.
What
it's
done
here
is
it's
gone
and
found
a
yarn
lock
file.
B
So
what
is
a
scanner
doing
so
sometimes,
when
vulnerability
scanners
don't
work
a
useful
thing
to
troubleshoot
them
is
to
understand
what
they're
looking
for
right
so
to
find
javascript
vulnerabilities,
one
of
the
things
that
trivia
will
do
is
it
will
look
for
anything
which
is
called
yarn.lock,
because
it
knows
that's
where
the
package
versions
are
so
it'll
get
that
and
that's
what
it
does
its
analysis.
So
it's
found
a
yarn
log
file
and
it's
also
found
a
gem
file.
So
it's
found
a
gem
lock
gemfile.lock,
because
this
is
a
rails
application.
B
B
We
can
also
do
it
the
other
way
around.
So
if
you've
got
files
down
locally,
you've
downloaded
files
onto
your
local
machine,
you've
already
cloned
the
repository
or
if
you
want
to
scan
stuff,
that's
your
own
code
right,
you
might
not
want.
You
might
not
have
this
on
a
github.
You
might
not
have
this
on
a
repository,
so
you
might
say
I
just
want
to
scan
the
file
system
right
and
again,
once
you
know
about
how
vulnerability
scanners
work,
all
they're
doing
is
looking
for
specific
files
analyzing
those
files
comparing
against
security
databases.
B
B
B
And
one
other
thing
you
can
do
is
you
can
say
you
know
what
I
don't
care
about:
the
rails
vulnerabilities.
I
only
actually
care
about
the
javascript
vulnerabilities.
So
the
only
thing
I
want
to
tell
you
to
tell
me
about
is
tell
me
what
javascript
vulnerabilities
do
I
have
in
this
package
and
just
give
it
a
specific
file
name.
So
if
you
know
the
file
name,
you
want
to
scan.
The
other
thing
is
if
your
scanner
is
not
picking
it
up,
for
whatever
reason
you
know
it's
having
problems
detecting
it.
B
B
B
So
obviously,
one
of
the
things
we've
seen
so
far
is
all
the
output
that
we've
had
is
table.
Format
and
table
format
is
nice
if
you
just
want
to
look
at
it
on
screen,
but
it's
not
super
useful.
If
you
want
to
analyze
it,
because,
obviously
you
know
trying
to
if
you've
got
like
500
vulnerabilities
and
they've
even
come
out
on
the
table,
it's
not
really
easy
to
share
that
information.
It's
not
really
easy
to
say:
hey,
I'm
going
to
save
this
somewhere
and
let
someone
else
analyze
it
or
I
want
to
analyze
it.
B
So
I'm
just
going
to
scan
another
another
repository.
I've
got
so
again
we're
just
going
to
tell
it.
We
want
the
output,
so
the
only
thing
we're
doing
differently
here
is:
we
are
going
to
we're
going
to
do
json
format,
but
apart
from
that,
this
command
is
pretty
much
the
same.
We're
just
picking
a
repository
on
docker,
hub
and
trivia
by
the
way
like
docker
will
default
to
docker
hub
as
a
registry.
B
So
just
taking
the
same
format,
I
know
some,
not
every
container
runtime
will
do
that
these
days,
but
it
just
defaults
to
docker
hops.
If
you
don't
tell
it
differently,
it
assumes
you're
talking
about
docker
hub
and
I'm
going
to
go
and
get
as
you
might
tell
what
I'm
looking
for
here,
because
I'm
going
to
get
an
image
called
spring
for
for
shell
demo
and
yeah,
you
get
a
very
large
amount
of
json
back
one
what's
interesting
here.
B
If
you
are
looking
to
get
more
information
about
specific
vulnerabilities,
is
the
json
format
has
far
more
information
than
the
table
format:
you're,
not
just
getting
like
version
number
and
like
severity.
What
you
actually
do
get
is
you
get
all
sorts
of
fun
stuff
like
installed
versions,
fixed
versions,
you
get
severity
source.
So
where
did
that
severity
source
come
from
because
the
fun
one
of
the
fun
things
about
vulnerabilities
is
different
bodies
will
score
the
same
vulnerability
differently.
B
So
if
you
look
on
a
github
security
advisory,
it
might
give
you
one
severity
and
then
you
go
to
the
national
vulnerability
database
and
it'll.
Give
you
a
different
severity,
which
of
those
you
want
to
choose,
is
kind
of
up
to
you.
But
if
you're
trying
to
work
out,
why
trevi
has
told
you
it's
a
specific
severity,
get
json
output
and
then
it
will
happily
tell
you
the
source,
so
that's
github.
So
this
particular
one.
The
information
came
from
github
security
advisory
and
it
also
tells
you
where
the
advisory
is.
B
B
Also?
It
gives
you
this,
which
is.
This
is
the
cvss
score.
This
formula
looks
very
fancy,
but
basically
that's
how
you
score
these
things.
It's
got
a
number
of
different
parameters
you
put
into
it
and
that's
how
it
comes
out
with
a
number.
I
have
a
whole
different
talk
about.
Why
that's
not
always
very
accurate,
but
that's
not
really
for
today,
and
it
tells
you
what
scores
there
are.
Cbs
has
two
versions:
v2
and
v3,
so
that's
in
there
as
well,
and
then
we
have
references,
so
you
want
to
find
more.
That's
there.
B
B
How
are
we
doing
with
them?
We're
done
yeah,
okay,
we're
all
awesome
right,
okay,
we're
doing
fantastically
it's
all
going
brilliant!
So
next
thing
we
want
to
do,
and
I
am
going
to
have
to
cut
very
much
if
you
do.
If
you
are
typing
along,
do
copy
paste.
This
one
do
not
try
and
type
it.
I
would
challenge
anyone
to
type
this
command
without
making
at
least
one
typo.
B
B
If
you
didn't
come
across,
it
was
a
java
ecosystem
issue
from
earlier
this
year,
that
was
fairly
nasty,
and
so
a
lot
of
companies
were
very
interested
in
what
is
their
exposure
to
spring
for
shell,
so
you
might
say
well,
I
know
the
cve
number
I'm
looking
for,
and
I
want
to
actually
just
find
that.
How
do
you
do
that
and
I'm
going
to
walk
through
this
one,
because
there's
a
little
bit
more
to
it?
There's
a
couple
of
tricks
here
that
are
important.
B
If
you
want
to
do
this,
the
first
one-
and
this
is
one
that
tripped
me
up
quite
a
few
times
before
I
got
it
right
if
you're
going
to
be
parsing
the
output
of
json
from
trivi,
you
need
to
give
it
the
minus
q
switch,
because
otherwise
it
gives
you
some
text
before
it
goes
into
the
json
and
any
json
parser
will
complain
horribly
and
say
I
found
something:
that's
not
json
in
here,
I'm
not
going
to
do
it.
So
minus
q
is
a
very
important
switch.
B
B
What
we're
going
to
do
is
we
look
in
the
results
array
and
we
look
in
the
vulnerability,
so
we're
going
to
look
at
the
vulnerability
id
for
every
vulnerability
returned
and
then
we're
just
going
to
use
a
select.
I
want
to
select
the
vulnerability
id
where
it's
cve
2022-22965,
so
this
will
just
tell
me
about
that
vulnerability.
It
won't
give
me
all
the
other
stuff
that
we
got
back
before.
B
B
So
one
other
thing
I'm
going
to
do
it's
actually
not
in
the
slides,
but
I
thought
about
it
after
I'd
written,
the
slides
is
another
tool
you
can
use
for
this.
If
you've
not
used,
it
is
jls
and
jls
is
really
handy
because
it
does
this
and
then
what
you
can
do
is
you
can
interactively
go
through
the
results
so,
for
example,
all
the
metadata,
you
can
have
a
look
in
there.
You
can
look
at
the
diff
ids,
the
repo
tags,
image
config,
which
is
quite
handy,
and
then
you
get
the
results.
B
So
if
you
want
to
actually
like
interactively
like
look
through
if
anyone's
not
used
j
less,
although
the
installer
got
a
bit
funny
when
I
installed
it
today,
it
did
some
rust
libraries
to
make
it
work.
It
is
actually
a
really
nice
way
of
interactively
looking
through
this
data,
because
you
do
get
a
lot
of
data
out
of
these
tools
and,
if
you're
trying
to
analyze
it
can
be
a
bit
painful
because
even
json,
you
know
it's
easier
if
you're
good,
if
you're
handy
with
json,
but
if
you're
not.
E
B
So
configuration
scanning
so
far
what
we've
talked
about
is
vulnerability
scanning
right.
We've
talked
about
the
idea
that
we're
going
to
look
for
vulnerabilities,
it's
relatively
it's
relatively
mechanistic,
I
mean
essentially
what
you're
doing
is
like
you
know,
which
things
haven't
been
patched.
With
the
exception
of
ignore
unfixed.
You
know
the
goal
is
basically
to
try
to
get
as
few
vulnerabilities
as
possible
if
your
organization
has,
as
large
you'll,
probably
have
a
policy
about
how
many
of
different
severities
you
can
have
before
you
go
to
production,
ideally
I'd,
say
zero.
B
However,
let's
all
be
realistic
here
if
you've
ever
tried
to
get
to
zero
and
maintain
that
in
all
of
container
images,
that's
pretty
difficult
to
do,
but
the
other
thing
we
can
do
and
is
a
great
idea
when,
when
as
early
as
possible,
the
development
life
cycle
is
configuration
scanning
iac
scanning.
So
we
can
do
this
either
during
development
or
when
using
third-party
projects.
If
you
are
downloading
people's
kubernetes
manifests
and
applying
them
to
your
cluster
run
an
iec
scanner
over
them
first
to
make
sure
they
have
been
done
with
decent
practices.
B
This
is
important.
I
have
seen
lots
of
third-party
manifests.
Do
some.
Rather
I
mean
you
might
be
okay
with
it,
but
I
would
recommend
running
the
scanner
and
making
sure
you're
okay
with
it.
So,
for
example,
they
might
do
something
like
say
I
want
a
privileged
container
or
I
want
to.
I
want
to
create
a
manifest
that
gives
this
particular
project
cluster
admin,
and
you
might
say:
well,
you
know
what
actually
I'm
not
too
comfortable
with
the
third-party
project.
Cluster
admin,
you
could
read
the
manifests.
B
B
B
You
know
all
of
them
will
do
things
like,
for
example,
checking
docker
files
to
make
sure
you're
not
running
as
root,
because
that's
a
pretty
standard
check,
but
each
rule
set
will
not
only
have
each
tool
will
not
only
have
different
rule
sets,
but
they
will
apply
different
severities,
I'm
kind
of
hoping
this
space
will
get
better
as
it
matures,
and
we
can
all
agree
on
like
what
the
severity
of
things
are.
Because
right
now
I
can
see
people
running
like
one
iec
scanner
and
saying
I've
got
these
vulnerabilities.
B
Then
your
auditor
or
pen
tester
runs
a
different.
Iec
scanner
gets
a
whole
lot
of
different
severities
and
you
have
this
kind
of
like
you
know.
What's
going
on,
that's
something
to
be
aware
of
when
you're,
using
these
tools,
there's
not
like
a
heart.
It's
not
like
cvs
escort
there's
no
cvs
score
for
ic.
It's
generally
that
the
tool
author
to
say
how
severe
they
think
something
is,
and
people
do
vary
on
that,
but
we
might
want
to
look
at
things
like
kubernetes
pss,
so
this
is
kubernetes
port
security
standards.
B
Kubernetes
pss,
essentially,
is
a
document
which
guidelines
on
how
how
locked
down
you
want.
Your
kubernetes
manifests
so
there's
three
levels:
there's
unrestricted
the
standard
and
restricted
and
you
can
have
any
you
know
of
the
two
you
kind
of
want
to
see.
Can
you
actually
comply
with
those
there's
also
cis
benchmarks,
so
there
are
cis
benchmarks
for
kubernetes
and
docker
if
you've
not
come
across
them
before
cis
benchmarks,
essentially,
are
vendor
neutral
configuration
guide
which
we
were
talking
about
on
friday?
C
B
So
what
we're
going
to
do
is
we're
going
to
show
you
how
that
works.
How
does
the
configuration
scanning
works
and
some
reasonably
simple
examples
of
what
you
can
do
to
do
configuration
scanning?
So
the
first
thing
to
do.
If
you
are
like
following
along
and
doing
the
demos,
is
you
want
to
do
just
get
clone
so
just
get
clone
that
and
again
this
should
be
in
the
this
should
be
in
the
commands
file.
B
So
if
you
just
if
you're
just
picking
up-
and
you
want
to
like
say
where
is
this-
you
want
to
go
down
to,
where
are
we
there?
We
go
configuration
scanning
docker,
so
just
find
that
in
the
text
file
in
the
commands
list
and
you
can
get
clone
that
repository
down
shouldn't
take
very
long.
It's
not
super
huge.
B
B
B
It
recognizes
kubernetes
manifest
it
recognizes
terraform
and
I
think
some
others
as
well
find
that
on
the
website,
but
definitely
those
three,
because
those
are
the
ones
we're
going
to
talk
about
when
it
finds
one
of
those
files
it
analyzes
it
and
attempts
to
say
what
is
wrong
in
here,
based
on
the
rule
set,
I've
got
and
we'll
we'll
talk
about
it
later
on.
You
can
actually
write
your
own
rules,
so
if
you're
not
happy
with
the
rules
that
come
with
this,
if
your
organization
has
got
specific
standards,
there's
nothing
to
stop.
B
You
writing
your
own
rule
and
adding
it
in
and
saying
all
right.
Okay,
I'm
particularly
concerned
about
this,
or
indeed
saying
you
know
what
I'm
not
concerned
about
this.
This
particular
thing
is
not
a
concern
to
me.
Therefore,
I
want
I
don't
want
to
be
reported,
told
about
it,
but
we'll
do
a
very
basic
scan
first.
B
Another
delay
of
open
source
is
that
this
output
completely
changed
from
yesterday,
thanks
to
open
source
team
being
very
fast
on
development,
it
actually
looks
a
lot
prettier
than
it
used
to.
So
what
do
we
get
back?
It
basically
says
I
phoned
a
dockerfile
and
it
found
a
dockerfile
because
it
was
called
dockerfile
like
most
dockerfiles
are
and
it
found
certain
things
in
it,
which
is
it
so
the
first
one
it
has
rated.
B
It
says
medium
specify
tag
in
the
from
statement,
so
standard
docker,
good
practice.
Is
you
don't
pull
from
latest
because
if
you
pull
from
latest
you
don't
know
when
the
underlying
image
changes
right.
I
personally,
I'm
sure
everyone
has
done
a
lot
of
docker.
Work
has
been
burned
by
pulling
from
latest
and
then
the
next
version
of
the
image
comes
out
and
it
removes
a
binary
that
used
to
be
in
there.
B
I
know
the
ubuntu
images
they
spent
a
lot
of
time,
slimming
them
down
and
a
whole
lot
of
my
stuff
broke,
because
I
was
using
ubuntu
latest
and
the
new
version
image
came
out.
They
pulled
a
whole
lot
of
binaries
out
of
it
and
suddenly
all
my
stuff
didn't
work,
so
don't
do
that
don't
run
docker
latest
run
224,
2004,
1804
or
whatever
tag
that
you
want
to
use,
but
don't
use
latest
next
one,
it
will
say
hi
and
again
this
is
subjective
severity.
B
You
might
not
think
of
this
as
high,
but
this
is
the
rating
from
the
tool
you
must
have
at
least
one
user
command
in
the
dockerfile,
so
any
docker
container
will
run
as
root.
If
you
do
not
specify
a
user
running
containers
as
root
is
a
really
bad
idea.
If
you
could
get
one
thing
fixed
in
your
container
ecosystem,
I
would
personally
recommend
make
sure
all
your
containers
don't
run
as
root.
B
The
reason
for
that
is
is
it
makes
it
much
easier
to
break
out
the
container
if
an
attacker
gets
access
to
your
container
and
they
are
the
root
user.
There's
lots
of
cvs
that
only
work
if
you're
ru
there's
lots
of
cvs
that
will
fail
horribly.
If
you're,
an
unprivileged
user
who
don't
have
any
rights,
you
will
make
attackers
lives
much
more
difficult.
If
you
don't,
let
people
run
as
route.
So,
if
you
take
one
thing
away
from
this
talk,
if
nothing
else
go
back
run
this
anywhere,
you
see
that
try
and
fix
it.
B
It's
not
super
simple
because
you
do
have
to
make
sure
the
application
still
works,
but
well
worth
doing
so.
We've
got
that
one
we've
also
got
some
other
ones
which
are
for
weird
stuff
in
this,
and
you
can
see.
We've
got
port
22
in
a
docker
file,
we're
running
ssh
in
this
docker
image.
Obviously
you
should
not
run
ssh
in
docker
images.
In
the
vast
majority
of
cases
there
may
be
some
edge
where
that
makes
sense
most
of
the
times
it
doesn't,
and
it
tells
you,
for
example,
exactly
what
line.
B
E
B
And
it
also
gives
us
some
other
stuff
as
well
around
package
managers
and
around
minus
y.
So
this
is
this
is
where
severity,
so
this
is
where,
personally,
if
it
was
me,
I
wouldn't
rate
this
as
a
high,
but
this
is
you
know
where
I'm
saying
severities
are
subjective.
It's
complaining
here
that
we
are
running
without
minus
y
and
if
you
don't
put
that
sometimes
it'll
pause
for
user
input,
and
so
your
docker
build
will
break.
B
So,
to
my
mind,
that's
like
from
a
security
standpoint-
I'm
probably
not
that
concerned
about
that,
but
from
a
maintainability
and
stability
standpoint,
that's
actually
quite
nasty
because
your
builds
might
break
you
know
something
else
for
input
and
and
then
last
one
yeah
maintainer
should
not
be
used.
Maintainers
should
not
be
used
because
it's
deprecated
maintainer
was
the
old
way.
Many
many
many
docker
versions.
Anyone
who's
around
when
docker
113
was
a
thing.
You
used
maintainer
statements.
B
C
It's
maybe
worth
also
pointing
out
that
you
don't
have
to
be
a
security
professional
to
use
trevi
and
check
your
manifests.
Your
deployments
from
this
configurations
when
I
got
started
with
kubernetes
configuration
checks,
helped
me
to
create
better
deployments.
So
this
is
really
something
that
anybody
can
use
to
improve
their
deployments.
B
That's
a
brilliant
point
and
I
would
say
that
that's
probably
the
best
point
about
trivia
or
the
most,
not
just
trivia,
but
any
configuration
of
vulnerability
scanner
is,
as
you
can
see
from
this,
you
don't
need
to
be
a
security
expert
to
run
this
tool
right.
There's
not
a
lot
of
specialist
knowledge
to
read
this.
It
has
advice
on
what
you
can
do
and
how
you
do
it.
So
you
have
the
opportunity
to
like
give
this
to
people
who
are
not
security.
B
Experts
and
say,
look
run
this
try
and
work
out
how
to
get
rid
of
some
of
the
highs.
Try
and
get
the
vulnerabilities
down
before
it
goes
further
on
to
the
development
process
and
people
get
used
to
it.
I
think
once
people
got
the
habit
of
saying,
for
example,
I
don't
want
my
docker
images
to
run
as
root.
It
can
become
part
of
general
practice,
and
that
is,
to
my
mind,
is
the
only
way
we're
going
to
improve
like
container
security
as
a
concept
is
by
people
gradually
applying
these
practices
getting
better.
B
B
Great
really
good,
so
what
we're
going
to
do
is
I
am
going
to.
Will
I
brave
why
why
not?
Let's
brave,
why
so
what
you
want
to
do
is
you're
going
to
edit
the
file
pick
an
editor
of
your
choice.
You
can
pick
any
editor,
that's
working
in
the
machine
you're
on
and
what
I'm
going
to
do
is
this
is
this
particular
bad
docker
file
is
helpfully
annotated,
so
we
know
what's
wrong
down
the
bottom
here
you
will
see.
B
B
What's
the
it
is
script,
okay,
yeah,
roughly
okay,
awesome!
So
then
what
we
can
do
is
once
we've
done
that.
So,
if
you've
done
that,
just
go
in
uncomment
that
line
and
rerun
the
scanner
and
what
we
should
see,
he
said
hopefully
and
it's
kind
of
hard
to
prove,
but
where
was
it?
I
think
it
was
there.
It
was
the
second
one,
so
it's
no
longer
there
right,
so
the
scanner
has
rerun
and
kind
of.
Predictably,
it
now
says:
hey.
I
found
a
user
line.
Therefore
you're
not
running
this
image
as
root.
B
B
Ultimately,
though,
that's
quite
hard
to
detect
automatically,
because
you
would
need
to
parse
everyone's
entry
point
scripts
and
like
work
out
where
they're
switching
to
a
non-root
user.
So
that's
a
limitation
of
automation,
right
automation
can't
pick
every
edge
case
up.
If
you
get
a
scanner
result
and
you're
like
hang
on,
I've
run
this
image
and
it
doesn't
run
as
root
is
a
false
positive.
B
But
if
you
think
about
how
the
scanner
works,
it
would
be
super
difficult,
but
potentially
possible
to
go
parsing
every
single
person's
entry
point
script,
looking
for
where
it
switches
to
a
non-root
user,
because
there's
different
ways
of
doing
that
as
well.
So
that's
just
one
to
watch
for
when
you're
running
tools
like
any
automated
tool,
don't
take
it
as
gospel.
Don't
assume
that
it's
right
about
everything,
but
you
can
try
to
understand
how
it
does
it
because
then
you
can
go.
Oh
it
does
it
like
this.
B
B
This
particular
manifest
that
it's
running
over
has
got
a
lot.
It's
a
really
bad
manifest.
This
manifest
should
never
see
production
apart
from
if
you're,
a
pen
tester
that's
where
this
this
comes
from.
This
is
my
manifest
that
gives
me
root
on
the
host.
If
you
don't
bought
security
policies
installed,
so
it's
basically
all
the
bad
things.
So
if
we
scroll,
where
do
we
go?
Oh
there
we
go,
we
can
see
things.
It
basically
is
going
to
complain
about.
So,
for
example,
it's
going
to
say,
allow
privileges.
B
Escalation
should
be
set
to
false.
This
is
actually
a
really
easy
one
to
say
it's
very
risk-free,
because
I've
very
rarely
seen
a
container
image
that
wants
to
go
from
an
ordinary
user
when
it
starts
to
a
privileged
user.
Once
it's
going
most,
the
time
goes
the
other
way
around.
So
if
you
set
a
low
privilege
escalation,
it
actually
stops
that
happening.
You
know,
and
you
can't
actually
do
that
so
and
what
it's
doing
is
it'll
then
give
you
a
range
of
where
it
looked
so
it
looked
inside
the
definition
of
this
container.
B
It
couldn't
find
the
statement.
Allow
privileged
escalation
equals
false,
so
it's
decided
you
are
vulnerable
to
this
issue
and
it
has
to
give
you
a
range
right
so
that
the
reason
those
range
of
lines
is
that's
the
definition
of
that
container
and
just
as
somewhere
in
there,
I
would
have
expected
to
see
a
low,
privileged
escalation
equals
false.
I
haven't
seen
that
therefore,
you've
got
this
problem
and
we've
got
a
whole
load
of
problems.
We
haven't
specified
an
app
armor
profile.
B
We
aren't
yeah,
we
aren't
doing.
Cap
drop
all
so
by
default.
Docker
will
give
you
access
to
certain
parts
of
routes
rights,
even
if
you
don't
need
them
if
you're
running
an
application
that
doesn't
need
any
part
of
which
rights,
if
you
think
about
an
application
that
maybe
you
had
it
running
on
a
vm,
it
was
running
as
an
ordinary
user.
It
doesn't
need
capabilities.
B
B
Let's
find
one
to
fix.
Where
is
the
one?
That's
really
bad
there
we
go
that
one
right!
One
of
the
things
that's
flagged
up
is
we
should
be
setting
privileged
to
false
right
privilege
to
false.
Is
the
is,
is
the
default,
but
I
actually
recommend
setting
it
explicitly
in
your
manifest
like
if
you've
got
a
template,
manifest
privilege
to
false,
because
it
makes
it
super
easy
for
scanners
to
find,
and
it
won't
do
anything
it's
not
going
to
hurt
it's
not
going
to
break
anything
unless
you
actually
need
to
be
a
privileged
container.
B
In
fact,
what
we're
doing
is
we're
setting
privilege
to
true
privileged
containers.
As
hopefully,
everyone
knows
are
super
super
dangerous.
You,
if
you
ever
need
to
have
a
privileged
container,
make
sure
that
whoever
wrote
that
manifest
really
needs
privileged
like
they
don't
just
need
rights
to
do,
modifier
fosters
and
path.
They
don't
just
need
rights
to
bind
a
port.
They
don't
just
need
rights
to
do
raw
traffic.
All
of
those
can
be
done
more
fine-grained
with
less
privileges,
privileges
basically
turn
off.
B
All
the
security
give
me
and
anyone
any
attacker
who
gets
access
to
a
privileged
container
will
break
out
to
the
underlying
node
guaranteed,
because
it's
super
trivial
there
is
nothing.
You
know
it's
going
to
happen
unless
you're
doing
something
funny
like
sandboxing,
but
basically
privileged
containers
are
super
dangerous.
Don't
use
them
so
let's
fix
that.
So
here
we
go
on
line
16
of
this
manifest.
B
Change
that
village
false
great
fix
the
issue
exit
and
then
rerun
the
scanner,
so
all
you
have
to
do
is
literally
I
mean
if
you
want
to
do
that.
One
pick
one
other
ones:
there's
lots
of
bad
things
in
there
host
network
is
bad
host
pit
is
bad.
Host
ipc
is
bad.
You
could
take
any
of
those
in
terms
of
false.
You
could
do
cap
drop
all,
instead
of
so
just
change
that
to
be
dropped
rather
than
add.
That
would
work
as
well,
but
any
of
those
things
is
bad
and
you
can
change
them.
B
Yeah
this
manifest
could
takes
a
lot
to
fix.
I
said
this
is
like
literally
the
worst
manifest.
I
deliberately
designed
it
as
like
the
most
horrible
manifest
if
anyone,
if
you
run
that
on
on
a
cluster
that
you
care
about
and
it
doesn't
get
blocked,
I
would
be
concerned
because
that
should
get
blocked
that
should
never
be
allowed
onto
any
cluster
because
dangerous,
but
what
we
can
do
now
is
we
can
rescan
and
we
should
no
longer
see
he
said
scrolling
up,
hopefully
no
mentioned
privilege
no
mentioned
privileged,
no
mentor
privileged
yep
okay.
B
So
there
is
nothing
there
that
mentions
privilege,
so
we
fixed
that
issue.
So
if
you
are
writing
manifest
or
you're
using
third
party
products,
you
can
see
how
you
could
use
this
scanner
to
fix
your
issues,
one
at
a
time.
Look
at
the
issue.
Some
of
them
are
easy.
Fixes,
like
the
level
of
escalation,
will
never
break
anything.
B
In
my
experience
doing
things
like
dropping
privilege,
you
want
to
understand
why
they
wanted
privilege
first
and
doing
things
like
dropping
capabilities
does
need
testing,
because
sometimes
you
might
break
something
you
do
have
to
watch
with.
Some
of
these,
don't
just
blindly
apply
everything.
This
says
this
is
like
the
whole
problem.
Hopefully,
the
whole
underlying
message
of
this
part
of
this
presentation
is
scanners
are
useful.
Do
not
blindly
accept
what
they
tell
you,
because
they
will.
They
don't
know
your
environment.
They
don't
know
how
your
clusters
are
set
up.
B
B
B
So
we
can
just
again:
we've
got
a
bad
terraform
file
in
this
directory
and
it
will
happily
go
away
and
tell
us
lots
of
stuff
is
bad
here,
because
again
this
is
designed.
So,
for
example,
we've
got
something
like
a
hard-coded
password
in
our
terraform.
Obviously
you
should
never
hard
code
passwords
inside
your
terraform
scripts.
We
have
got
one.
This
has
identified
it
and
said:
hey.
You
have
got
a
hard
coded
password.
You
don't
want
to
do
that.
B
And
you
can
see,
there's
lots
of
bad
things
inside
this.
So
this
again
we've
got.
We've
got
a
database,
and
this
is
where
I'm
saying
every
two
will
be
different.
Every
tool
you
use
for
ic
scanning
will
have
its
own
database
for
every
format,
so
some
of
them
will
have
more
or
fewer
vulnerabilities.
I
kind
of
personally
have
this
hope
that
someday
we'll
have
like
a
unified
database
of
these
things,
but
for
now
it's
pretty
much
tool
dependent,
so
do
watch
for
that.
B
C
Oh
yeah,
so
trivia
has,
since
a
few
weeks,
also
trivia
s
bomb.
So
you
can.
We
heard
a
lot
about
s-bombs,
basically
repository
like
an
inventory
list
of
your,
for
example
your
container
image,
so
you
can
run
trivia
s-bomb
to
generate
an
s-bom
of
your
container
image.
Now
we
also
have
a
docker
desktop
extension
and
you
can.
C
B
B
There's
like
five
new
things,
so
hopefully
we
will
catch
them
all,
but
yeah.
So
if
you
think
about
how
container
scanning
and
how
s
bomb
creation
works,
this
makes
sense
right
because
one
of
the
things
scatter
vulnerability
scanning
tool
has
to
be
able
to
do
is
it
has
to
know
every
package.
That's
installed,
that's
literally
part
of
what
it
does
so
there's
no,
nothing
to
stop
you
putting
that
into
an
s-bomb,
I'm
actually
going
to
mention
one
thing
just
in
passing,
where
s-bombs
or
some
s-bomb
tooling
might
not
find
everything.
B
If
you
have
a
container
image
and
the
main
program
is
not
installed
as
a
package.
Right
so
say,
I've
create
I've
compiled
the
binary
and
that's
the
main
thing
that
my
container
image
runs
and
this
bomb
tool
might
not
find
that
version,
because
how
would
it
because
what
it's
doing
is
using
a
package
database
so
something
to
watch
out
for
just
not
just
with
trivia
but
any
s
bomb
tooling.
B
F
B
So
you
can
do
malware,
you
can
do
more
scanning
of
images.
I
mean
malware
scanning
fundamentally
works
the
same
way.
It's
going
to
basically
look
for
known
bad
things,
so
it
has
a
pile
of
signatures
and
you
can
integrate
that.
The
question
is
finding
a
tool
that
will
understand
container
formats,
so
not
all
of
the
traditional
va
scanners.
Also,
the
malware
scanners
know
about
how
containers
work,
and
this
is
the
tricky
part.
B
I
mean-
there's
technically
nothing
difficult
about
it,
but
you
would
need
to
find
a
malware
scanner
that
understands
container
images,
I'm
not
going
to
get
commercial
products,
because
that's
something
that
we
do
the
question,
but
we're
talking
about
open
source
today,
I'm
not
actually
aware-
and
people
from
the
audience
feel
free
to
correct
me
of
a
container
scanning.
So
it
does
malware
right
now.
I'm
sure
there
is
one,
but
if
there
is,
I
don't
know.
B
Please
don't
do
that.
I
was
a
pen
tester
and
pretty
much
every
pen
test
I
did
of
a
containerized
environment.
I
found
at
least
one
image
that
someone
had
downloaded
from
a
random
docker
hub
repo
and
run
it
in
their
cluster.
Don't
do
that
because,
just
as
the
question
says
that
might
have
malware
in
it,
so
we
might
have
compromised
that
so
yeah.
Basically
it's
finding
a
scanning
tool
that
will
support.
It
would
be
the
answer.
F
F
B
B
In
I
don't
there
are
linting
tools,
I'm
not
sure
I've
seen
many
like
security
scanners.
I
know
they're
linters
for
bash
and
linters.
If
you
think
about
a
linter,
it's
a
very
similar
concept
to
a
config
scanner.
I
mean:
what's
it
doing
right,
it's
looking
for
bad
practice
based
on
signatures.
Fundamentally,
the
same
thing.
It's
just
question
of
focus
where
these
are
security
focused,
primarily
and
linters,
tend
to
be
good
practice
focused,
but
the
concept's
identical.
In
fact,
some
linters
do
security.
Some
security
scanners
do
linting
top
my
head.
No,
but
yeah
similar
idea.
E
B
Yeah,
that
is
a
problem
I
mean
if,
ultimately,
a
lot
of
people
will
end
up
when
it
comes
to
flexibility,
we'll
end
up
using
bash
right,
because
it's
super
flexible
and
everyone
likes
a
bit
bash
to
tie
everything
together.
But
you
do
need
to
watch
because
everything
you're
running
is
part
of
your
pipeline
or
part
of
your
development
process,
and
if
you
just
do
terraform
and
miss
the
bash,
you've
potentially
got
a
hole.
Yeah,
that's
a
good
point,
so
security
icd
we're
going
to
go
across
this
reasonably
quickly
because
we
can't
really
demo
this.
B
I
think
people
try
some
github
actions
in
the
middle
of
a
talk
would
go
very
badly
for
us.
A
couple
of
points
to
make
you
can
use
trivia
as
part
of
your
crcd
pipeline
and
we're
going
to
give
you
a
quick
example
of
a
couple
of
things
to
note
if
you're
doing
it
in
github
actions.
Personally,
I
love
github
actions
once
I've
got
them
working.
If
anyone
looks
one
of
my
repos
you'll
find
like
10
failed,
runs
before
the
first
pass
run,
because
it's
the
syntax
can
be
a
bit
tricky.
B
So
I
just
want
to
give
you
a
couple
of
pointers
on
stuff
that
I
went
wrong
with.
This
is
an
example.
You
can
pull
that
one
out
the
slides
later
on
what
this
does.
It's
a
github's
basic
docker
plus
cosign
action.
So
this
will
build
a
container
image.
It
will
cosign
it
and
I'll
add
one
to
the
number
of
talks
that
mention
cosine.
It
will
co-sign
out
and
it'll
also
vulnerability
scan
it
all
in
a
winner.
So
you
can.
B
Every
time
you
build,
you
can
say
I'm
going
to
create
a
container
image,
I'm
going
to
assign
my
container
image
and
I'm
going
to
vulnerability,
scan
it
in
a
git
of
action,
which
is
cool
because
it's
free
and
really
easy
a
couple
of
things
you
need
to
know
when
you're
doing
vulnerability
scanning
in
github
actions.
First
one
is
in
github
actions,
you
have
a
permissions
block
and
that's
what
can
this
github
action
do
to
my
account?
You
need
to
give
it
security
events
right.
B
So,
in
order
to
upload
things
to
github
security,
you
need
to
given
the
action
the
right
to
do
that.
The
right
you
need
is
security.
Events
right.
This
is
all
stuff
I
didn't
know
when
I
started
doing
this.
Second,
one
is:
how
do
you
know
to
tell
trivi
what
image
to
scan
so
I've
just
built
my
image.
I've
co-signed
my
image
and
those
were
in
previous
steps
in
my
action.
I
come
to
do
trivia
scan.
How
do
I
know
what
the
image
is
called
and
the
answer
is
basically,
this
is
the
interesting
part.
B
First,
you
tell
it
there's
a
variable
for
registry,
so
it
knows
what
register
to
get
it
from.
Then
you
tell
it.
There's
an
environment
variable
called
image
name,
so
you
know
the
image
name
is
and
then
there's
the
one
that
took
me
quite
a
lot
of
googling
to
find,
which
is
that's
the
tag,
so
it
says
steps.meta.outputs.version
as
a
variable.
That's
how
you
find
out
what
tag
to
scan
and
if
you've
got
those
three
things
together,
it
will
essentially,
after
it's
signed
it,
it
will
go.
Okay.
The
thing
you
have
just
signed
is
a
thing.
B
So
this
is
sarah
format
which
we're
going
to
use
to
upload,
which
we
can
use
to
upload
together,
and
so
you
just
tell
it
what
format
to
run-
and
this
is
the
this
is
our.
This-
is
our
action.
So
there's
a
there's,
an
aqua
security,
trivia
action
which
you
can
use
for
this
and
then
last
one
uploading
it
to
github
security.
And
this
is,
you,
then
uses
github's
action.
So
github
I've
got
an
action
for
uploading
sarif
and
you
just
give
it
the
file
name,
it's
pretty
simple.
B
It
looks
like
this
and
because
I
don't
maintain
this
one
very
well,
I
have
1281
code
scanning
alerts.
Hopefully
you
will
have
fewer,
but
this
is
a
useful
way
of
keeping
track
and
it's
also
useful.
If
people
are
doing
this,
you
can
look
at
the
repository
and
like
get
an
idea,
feel
for
security.
Like
you
know,
how
are
they
getting
on?
Are
they
are
they
maintaining
this?
Are
they,
like
you
know,
updating,
stuff
or
like
this?
B
C
C
So
once
your
workloads
are
deployed
inside
of
your
kubernetes
cluster,
you
still
want
to
continuously
check
those
workloads
what's
happening
inside
of
your
cluster.
How
are
your
container
images
that
are
already
running
performing
over
time
right?
Are
there
any
container
images
that
you
might
forgot
about
things
like
that?
So
you
want
to
have
regular
scans
for
compliance
and
insurance
and
runtime
security
to
attack
that
to
detect
any
attacks
and
yeah
anything
else.
That's
going
on
e-class,
it's
just
yeah,
okay!
C
So
who
has
a
kubernetes
cluster
locally
running
any
form
of
kubernetes
cluster
right
now?
Okay,
a
few
people.
Maybe
if
you
don't
have
one
check,
if
your
part
like
if
your
seat
neighbor
has
one
and
then
you
could
pair
up,
that
would
be
an
option
because
for
the
next
step
we
will
need
a
kubernetes
cluster
and
we're
going
to
install
the
starboard
operator.
Who
is
here
familiar
with
the
operator
framework
in
kubernetes?
Who
has
used
an
operator
before
in
kubernetes?
You
have
few
hands
awesome
great
of
you
awesome.
C
So
here's
the
white
paper
that
I
helped
review.
It's
a
really
cool
white
paper
that
details
everything
that
you
have
to
know
kind
of
about
operators,
how
they
work.
What's
the
theory
behind
them,
they
are
basically
used
to
automate
human
behavior.
At
my
previous
role
as
sre,
we
used
operators
pretty
much
for
everything
to
deploy
all
kinds
of
tools
across
thousands
of
tenant
clusters,
which
is
pretty
useful,
so
operators
we're
going
to
install
starboard
now
starboard
is
running
inside
of
your
caster.
This
is
from
a
previous
demo.
C
C
It's
just
another
set
of
kubernetes
resources,
pretty
much
that
you
can
install,
so
you
can
install
starboard
foot
different
ways
either
through
a
helm
chart
if
you
use
helm,
if
you
prefer
home
or
directly
through
cube
cattle,
apply
the
resources,
so
that
command
is
also
in
the
command
sheet,
and
you
can
go
ahead
and
install
it
inside
of
your
community
cluster.
That
will
create
a
separate
namespace
called
starboard
system
with
the
operator
living
inside.
C
Now,
as
you
can
see,
there
are
lots
of
different
specific
resources.
Let's
say
that's
stubborn,
it's
installing
those
are
custom,
resources
and
kubernetes
that
basically
extend
the
kubernetes
api
and
allow
you
to
have
the
configuration
scans
from
starboard
stored
as
another
kubernetes
resource
inside
of
your
cluster,
and
if
you
have
basically
everything
as
a
kubernetes
resource
living
inside
of
your
cluster,
that
means
you
can
integrate
starboard,
for
example,
with
all
of
your
existing
kubernetes
related
tools.
So
it's
not
a
separate
tool,
that's
living
outside
of
your
cluster.
It
builds
upon
existing
kubernetes
resources.
C
C
Whenever
you
have
a
new
deployment
or
whenever
one
of
your
running
container
images
change,
then
starboard
is
going
to
detect
that
change,
and
it's
going
to
create
a
new
vulnerability
report
for
that
container
image
yeah.
So
here
we
can
go
ahead
and
check
whether
your
starboard
installation
is
already
up
and
running
it's
properly
deployed.
C
Now.
The
thing
is,
which
I
kind
of
have
to
mention
that
trivia
now
supports
everything
that
starboard
does
because
we
are
going
through
some
changes,
so
you
can
still
use
the
starboard
operator
like
we're,
showing
you
here,
but
with
the
new
release
from
trevi
yesterday,
you
can
do
the
exact
same
thing
that
we
are
doing
here
for
starboard
through
trivi.
So
it's
this
exact
same
code.
Just
that
trivia
is
implementing
it
now
as
well.
E
C
So
now
we
to
create
a
vulnerability
scan
like
to
basically
trigger
starboard
to
create
a
scan.
We
need
to
have
a
deployment
now,
if
you
have
any
other
deployment
that
you
want
to
spin
up
in
your
cluster
or
you
already
have
deployments
running
inside
of
your
cluster,
you
can
go
ahead
and
you
can
check
already
through
four
vulnerability
reports
inside
of
your
cluster.
If
the
deployment
is
within
a
specific
namespace
vulnerability.
Scans
are
generally
namespace,
scoped
like
where
that
deployment
is
running
in
your
side
of
your
cluster,
so
yeah.
C
C
Let's
see
how
fast
it
happened
awesome,
so
here
you
can
see
how
many
high
medium
low
vulnerabilities
there
inside
for
that
deployment,
and
whenever
you
update
that
container
image
there
will
be
well.
You
will
see
the
updated
list,
but
you
will
see
also
the
all
of
the
previous
vulnerability
reports.
They
are
all
going
to
be
stored
within
your
cluster,
so
they
are
not
going
to
be
deleted
if
there
is
a
new
vulnerability
report
now
we
also
have
integrations
for,
for
example,
lens.
C
So
you
can
view
the
reports
with
more
detail
through
lens.
For
example,
jv
has
lots
of
different
extensions
and
add-ons
so
have
a
look
see
which
ones
are
useful
for
you
maybe
now
there
are
also
cluster
scoped
vulnerability
reports
and
for
most
of
the
audits
that
starboard
does.
You
will
have
a
specific
namespace
scoped
and
a
cluster
scoped
scan.
However,
the
cluster
scope
scan
only
runs
only
runs
every
three
hours,
so
you
won't
get
the
vulnerability
report
on
cluster
scope
and
like
until
the
next
three
hours,
at
least.
That's
why
I
experienced
it.
C
C
Come
back
later
awesome,
so
we
also
have
configuration
audit
scans.
So
while
you
won't
want
to
use,
for
example,
trevi
for
your
kubernetes
configuration
scans
with
configuration
scans
or
for
your
infrastructure's
code,
configuration
scans
starboard
also
performs
configuration
audits
from
within
your
cluster
and
again
they
are
specific
resource
scoped,
but
also
cluster
scoped.
This
is
some
other
thing
yeah,
so
we
have
here
our
config
audit
report
and
then
you
could
go
ahead
and
you
could
describe
that
config
audit
report.
C
So
here's
the
cube
I
need
to
see
id
now,
like
mentioned
trevi,
is
really
for
any
engineer.
Anybody's
who's
dealing
with
development
resources.
Starboard
is
really
focused
on
class
statements,
security
professionals
who
want
to
have
a
custom
setup,
so
you
wouldn't
just
use
starboard
as
as
itself,
you
would
integrate
it
with
your
other
tooling.
For
example,
you
could
visualize
the
vulnerability
reports
in
grafana
negotiate
dashboard.
If
there
are
new
vulnerabilities
pop
up,
then
you
can
get
alerted
things
like
that.
C
Okay,
so
infrastructure
scans.
We
also
do
cas
benchmark
scans
for
cubanitas,
with
a
tool
called
cubebench.
Cubebench
is
also
part
of
accra,
of
the
open
source
tools
and
starboard
is
integrating
cubebench.
So
it
will
create
a
cis
benchmark
report
for
every
node
that
you
have
within
your
cluster.
So
for
every
single
node
it
will
create
a
scan
we
you
can
also
with
the
starboard
cli.
You
can
run
cube
hunter,
no
we're
not
going
to
use
the
cli
right
now.
It's
also
going
to
evolve
in
the
future
towards
being
integrated
within
3d.
C
B
B
D
B
One
thing
I
just
very
quickly
mentioned
on
it
is
you'll
see
that
you
get
like
a
fail
count,
a
pass
count
and
a
warrant
count.
The
fail
count
is
things
that
tested
could
test
and
were
failures.
The
pass,
obviously
is
things
it
tested
nor
past,
and
the
warn
is
things
it
couldn't
test
and
we'll
talk
about
more
of
this
on
friday.
B
C
B
D
B
So
we're
going
to
talk
a
little
bit
more
about
this
on
on
friday,
but
the
way
it
works
is
the
nsa
has
a
hardening
guide,
which
is
not
a
compliance
benchmark,
but
we've
picked
out
things
out
of
that
which
we
think
are
checkable
and
we
think
can
be.
You
know
automatically
assessed
and
from
that
we've
we've
come
up
with
a
set
of
checks,
which
makes
sense
again
I'm
going
to
mention
the
fact
that
any
nsa
scanner
will
probably
have
different
checks
in
it.
B
So
if
you
say
I'm
going
to
do
an
nsa
scan
and
two
people
run
two
different
scanners
on
the
same
cluster.
It's
very
likely
you
will
get
different
results,
so
another
one
to
watch
for
tooling
is
do
watch
for
the
fact
that,
just
as
someone
says
they
do
something
you
have
to
go
and
read
exactly
what
you
mean
by
that.
So
we've
got
an
idea
and
he
said
see
if
it's
gonna
finished.
Oh,
it's
gonna
be
slow,
hey.
If
we
get
all
the
way
to
the
end
of
this,
and
only
one
demo
fails.
B
B
C
Awesome
so
here's
an
alternative
for
nsa
reports,
which
is
by
cubescape,
so
you
could
use
keepscape
instead
to
produce
nsa
reports.
Now.
This
is
like
the
brief
overview.
You
can
get
a
more
detailed
output
from
cubescape
if
you
put
like
an
additional
flag
at
the
end
of
your
command,
so
you
could
do
that.
You
know
they
also
have
a
ui
by
ammo
that
you
could
use
in
addition
to
the
ci
which
we're
not
going
to
show
you
yeah.
C
Yeah,
so
you
can
also
I
mean
we
mentioned
earlier,
so
we
might
not
have
to
go
into
too
much
detail
on
that.
You
can
also
write
custom
policies
for
you
to
scan
for
configuration.
Misconfigurations
within
your
cuba
needs
manifest.
So
with
tv
itself
you
can
use
regular
with
tfsec.
Like
I
mentioned,
you
can
use
yemen
or
json
depending
what
you
prefer.
If
you
use
terraform.
B
You
can
yeah
and
that's
chucked
out
the
results
for
custom
policies.
So
again,
that's
what
I
was
saying
is
your
organization.
Might
you
might
look
at
the
trivia
policies
and
say
you
know
what
these
don't
work
for
us,
but
they're,
all
you
know
editable,
and
you
can
say
you
know
what
I
don't
want
these
policies.
I
want
my
own
policies
so
cool.
It's
not
super
difficult,
write,
your
own
policies
and
then
you
can
adapt
and
again
just
adapt
the
basic
ones.
B
B
C
Yeah,
so
what
can
you
do
with
the
tools
now
or
what
you
can?
What
can
you
do
next
after
this
demo?
Well,
I
love
using
observability
tools
from
the
cloud
native
ecosystem,
so
I
like
to
integrate
starboard
inside
of
my
existing
observability
stack
to
get
additional
details
on
how
my
resources
are
performing
security
rise.
C
B
Yeah,
the
open
source
team
have
obviously
got
their
ideas,
and
lots
of
things
are
coming
in
like
secret
scanning,
which
turned
up
yesterday,
but
that
said,
we
are
always
very
interested
in
hearing
what
people
would
like
to
see.
Next,
like
you
know,
if
it's
something
you're
thinking,
hey
it'd,
be
great.
If
it
did
this,
but
it
doesn't
and
we
have
a
question
like
we
do
questions
we
have
yeah,
we've
got
I've
mentioned
we're
doing
all
right
for
time,
almost
exactly
on
time.
Awesome,
fantastic,
yeah,
there's
a
chat
there.
G
C
So
for
I
used
flex
in
one
of
my
demos
that
you
can
find
on
my
youtube
channel
with
starboard,
and
I
could
see
like
the
comparison
of
like
the
vulnerabilities
that
I
found
within
flux
versus
within
agua
cd,
for
example.
So
I
now
I
can
find
the
vulnerabilities
from
the
container
images.
So
if
it
can
find
the
container
images,
then
it
can
run
the
vulnerability
scans
on
them.
It
can't
I'm
not
sure
if
it
can
find
for
custom
resource
definitions.
The
misconfiguration
scans.
B
But
yeah,
I
believe
it
can
yet,
but
again,
that's
a
great
one
to
add
right,
and
this
is
the
thing
with
the
ecosystem-
there's
huge
numbers
of
different
platforms.
I
know
at
the
moment
the
team
are
working
on
adding
helm,
so
helm
chart
scanning.
But
if
you
absolutely
want
to
file
an
issue,
we
would
be
great
to
see
that
because
then
we
give
some
idea
of
what
the
demand
is
right.
You
know
if
everyone
says
I
would
love
to
see,
flux
and
more
scanning.
B
C
B
Yeah
so
yeah
that's
pretty
much
where
we
are
so
hopefully
that
provided
a
kind
of
a
useful
idea
and
give
you
know,
give
somebody
to
get
started.
Hopefully
I
get
I'd
say
what
you
take
from.
That
is
that
things
like
trivia
are
pretty
easy
to
get
started
with.
It's
not
super
difficult.
You
don't
have
to
be
a
security
expert
and
don't
get
put
off.
If
you
do.
B
If
you
use
trivi-
and
you
know
what,
if
something
goes
wrong
or
you're,
not
understanding
it,
there
is
a
slack
for
the
open
source
projects
pop
onto
slack.
Do
ask
us,
and
people
will
happy
to
try
and
point
you
in
the
right
direction
and
also
anes
has
got
great
stuff
on
her
youtube.
So
go
read,
go
watch
that
because
you
might
well
find
the
answer
in
there
because
there's
loads
of
good
videos
there,
and
if
you
want
to
look
for
those
we're
on
those
places.