►
Description
Anaïs Urlichs did a deep dive into the OSS tools from Aqua Security: Trivy, tfsec, Starboard, Tracee and more. We have discussed usage scenarios, custom policies, the integration touch points between the tools, and how to contribute.
Join our meetup group: https://www.meetup.com/everyonecancontribute-cafe/ Blog: https://everyonecancontribute.com/post/2022-03-08-cafe-49-aqua-security-open-source/
TOC
0:00 Introduction
2:39 Overview of Aqua Security OSS projects
3:22 Trivy: Container and IaC security scanning https://aquasecurity.github.io/trivy/latest/
16:40 Trivy: Custom policies https://aquasecurity.github.io/trivy/latest/misconfiguration/custom/ & differences to tfsec https://aquasecurity.github.io/trivy/latest/misconfiguration/comparison/tfsec/
19:34 Starboard: Vulnerability scanning in Kubernetes clusters https://aquasecurity.github.io/starboard/latest/
25:34 Starboard: Custom policies for Trivy https://aquasecurity.github.io/starboard/latest/integrations/vulnerability-scanners/trivy/
30:22 Trivy exporter for Prometheus
30:58 Aqua Enterprise insights into runtime protection
35:00 Starboard operator, with Prometheus metrics
38:00 Starboard integrations: Polaris, Conftest
42:58 Tracee: Runtime security and forensics using eBPF https://aquasecurity.github.io/tracee/latest/
51:55 Tracee: Differences to Falco discussion https://github.com/aquasecurity/tracee/issues/48
57:52 How to contribute: Slack https://blog.aquasec.com/open-source-developer-slack-community & projects https://github.com/aquasecurity
1:00:43 Q&A: Starboard reports dashboard, alerting, OOTB support in Aqua Enterprise, open-sourcing the tools to keep the pace of development, and reduce server load.
A
B
B
Yeah
so
oh
hi,
everybody,
I
know,
like
some
of
you
know
me
already
from
the
previous
meetup,
but
also
like
for
everybody
watching
online.
I'm
a
developer
advocate
at
aqua
security.
I
joined
their
open
source
team
a
month
ago,
so
I'm
still
very
new
to
those
tools
as
well.
When
I
was
preparing
for
this
meetup,
I
was
running
into
problems
and
figuring
out
things
and,
like
everybody
else,
getting
started
with
those
tools
that
I'm
gonna
show
you
today
and
I
or
we
want
to
make
it
really
like
a
conversation
right.
B
I'm
going
to
share
my
entire
screen,
which
is
a
bit
risky,
but
then
I
can
easily
switch
back
and
forth
so
shout
if
there's
something
that
you
shouldn't
see,
but
I
I
closed
everything
so
you
shouldn't,
so
it
should
all
be
good
but
yeah.
I
have
you
like
kind
of
like
down
here,
like
in
case
I'm
looking
down,
I'm
looking
at
you
yeah.
So
this
is
the
github
account
for
for
across
security,
and
we
have
several
projects.
Now
we
are
mainly
focusing
in.
B
My
role
is
what
I'm
working
with
was
my
new
focus
on
three
projects,
which
is
trevi
starboard
and
tracy.
Now,
when
you
get
started
with
this
project,
it
might
be
like
confusing
of
like
when
do
you
use,
which
ones?
Why
would
you
use
either
of
them
right
and
they
have?
They
have
different
kind
of
focuses
of
where,
like
which
part
of
your
application
security
you
you're
addressing
with
each
tool,
let's
say
so,
I
kind
of
prepared
a
little
bit
on
each
of
those
tools
which
is
going
to
go
through
them.
B
B
So
here's
kind
of
this
this
overview
where
trivi
fits
in
now
it's
and
that's
kind
of
the
feedback
that
I've
heard
it's
a
bit
confusing
because
it's
people
see
it
as
part
of
the
stack,
but
it
ultimately
just
says
that
with
trivia,
you
can
scan
your
container
images
vulnerability
for
vulnerabilities
your
file
system
as
well.
So
you
can
also
scan
your,
for
example,
your
go
application
for
vulnerabilities
and
misconfiguration,
and
also
your
infrastructure
is
code,
but
also
like
git
repositories,
for
example.
B
So
the
trivia
really
is
at
the
point
when
you
before
you
start
using
resources.
That's
when
you
use
trivia
like
to
scan
them
and
see
like
what's
wrong
with
those
resources
like
do
you
want
to
use
somebody
else's,
get
repository,
for
example,
or
maybe
you
want
to
stay
away
from
it
or
which
container
image
should
you
be
using
for
your
application
or
maybe,
depending
on
within
your
con
of
your
own,
within
your
own
container
images
yeah.
B
So,
with
treaty,
how
you
can
decide
it's
pretty
straightforward
once
you
find
the
the
documentation
which
tells
you
how
to
install
it,
I
can
also
link
skin.
You
can
kind
of
play
around
with
it
alongside
the
meetup,
if
that's
useful
or
if
not,
I
can
just
show
whatever
you
prefer.
What
do
you
prefer
yeah?
Should
it
just
show
things
you.
B
Okay,
later
on,
I'm
going
to
probably
share
some
more
important
links
yeah.
So
these
are
some
different
installation
options
and
once
you
have
trivia
installed
and
I'm
gonna
just
start
here,
you
have
access
to
it
and
it's
pretty
like
straightforward
in
terms
of
like
scanning
images.
So,
for
example,
if
I
want
to
scan
a
container
image,
I
would
just
post
trivi
image
and
then
the
image
that
I
want
to
scan
so,
for
example,
this
python
image
and
what
it's
going
to
do.
B
It's
then
going
to
access
some
depending
on
what
I'm
scanning
it's
going
to
access
the
relevant
databases,
and
in
this
case
it's
it's
downloading
the
database.
But
you
can
also
install
trivia
in
like
a
enclosed
environment
where
you
would
have
the
cache
for
the
database
safe
and
then
temporarily
update
it.
If
that
makes
sense.
B
So
if
you
only
want
to
see
the
vulnerabilities
that
are
that
already
have
a
fixed
version
available
right,
like
you,
don't
want
to
see
security
vulnerabilities
that
just
that
maybe
are
yeah,
are
not
specific
to
to
they're,
not
updated
yet
like
they
don't
have
like
a
fix,
or
you
can
like
filter
by
the
information
that
are
important
to
you.
For
your
specific
use
case.
What
else
there's
something
else
I
wanted
to
show
yeah?
B
You
can
also
skip
like
if
you
want
to
scan
faster,
you
can
skip
the
database
update,
for
example,
so
3d
image
scan
is
like
it's
it's
I
would
say
it's
pretty
straightforward,
like
you
should
specify
the
container
image
now.
I
think
if
I
just
take
a
container
image
from
docker
hub
or
another
remote
registry,
it's
gonna
like
pull
the
image
first
and
then
it's
gonna
scan
the
image
in
the
same
way.
Now,
in
this
case,
I
already
had
the
image
now.
A
A
B
C
B
But
that's
also
the
the
problem
with,
and
I
should
I
have
to
learn
more
about
it,
but
like
with
the
different
vulnerability
scanners
that
some
of
them,
like
they
access
the
information
from
different
sources
right.
So
some
of
them
will
be
updated
as
well,
faster
or
like
classify.
Different
vulnerabilities
is
vulnerabilities
versus
versus
other
scanning
tools,
so,
for
example,
yeah
there
there's
some
examples
where,
like
like.
In
this
case,
I
think
log4j
was
like
intriguing
right
away
like.
A
A
A
A
B
Tools
so
right
now
we
have
it
in
advance,
I'm
in
the
process
of
restructuring
everything
so
don't
rely
on
it
like
I'm
trying
to
make
to
make
it
more
visible,
but
yeah
here
you
have,
for
example,
gitlab
and
then
you
have
like
the
and
then
I
think
also
gitlab
is
integrating
actually
with
your
scanner.
F3B
from
what
I
heard.
B
Just
a
little
bit
just
a
little
bit,
let
me
right
okay,
so
you
can
also
right
now,
I'm
in
this.
In
the
example
repository
within
within
the
3d
repositories,
with
the
tv
repository
from
github-
and
you
have
like
here-
some
example-
infrastructures
code
file-
so,
for
example
the
mixed
one
and
in
here
you
have
a
config.
So
let's
check
out
mixed
conflict
configs,
so
you
have
like
a
docker
file
and
then
you
have
the
deployment
yammer
and
you
have
some
terraform.
B
B
Sorry,
I
was
even
surprised
so
there's
a
question
for
terraform.
Is
there
a
practical
difference
between
trivia
and
tfsec,
so
trevi
uses
tfsac
from
what
I
know
under
the
hood?
So
it's
it's
integrating
with
tf's
like
you
can
use
tfsec
directly,
but
there
shouldn't
be
a
difference
from
what
I
know
now.
A
A
B
B
B
It
can
well
so
for
vulnerabilities.
You
have
well,
you
can
scan
container
image,
you
can
scan
file
systems,
so
you
basically
put
the
path
to
the
to
the
file
system.
So,
for
example,
you
can
scan
a
go
application
or
on
our
application
for
misconfigurations,
for
example,
you
can
scan,
which
is
handy
in
like
containers
like
you,
can
go
into
a
container
and
then
scan
the
root
file
system
off
the
container
for
vulnerabilities
as
well.
B
You
can
scan
git
repositories
just
by
specifying
3v
and
then
the
repository
and
the
the
ul
sort
of
repository.
We
can
do
this.
Let's
do
this.
I
don't
know
like
the
thing
is.
I
think
it
gets
more
interesting
like
once
you
dig
into
the
details
right
versus
high
overview,
like
these
are
the
different
things
that
it
can
do.
D
D
Yeah,
mostly
what's
interesting
here
so
when
you
use
it
in
docker,
so
we
use
it,
for
example,
in
the
company
integrated
in
harbor,
so
harbor
io
is
also
using
it.
So
they
use
also
clear
and
how
to
be
in
containers
is
watching
that
it
pulls
the
data
and
then
doing
all
the
security
checks
locally
in
a
trivia
container.
So
he's
attracting
the
whole
file
system
in
the
end
and
then
is
doing
the
object.
So
it's
quite
interesting
because
then
you
see
a
lot
of
ports
when
trivia
is
standing
on
push.
C
D
D
B
Haven't
seen
next,
but
I
actually
set
up
the
exporter
for,
and
I
want
to
show
you
like,
with
prometheus,
just
the
setup
and
everything
to
to
get
the
vulnerabilities
report
from
stafford,
but
yeah
we're
going
to
get
to
that
after
this
yeah.
But
I
haven't
seen
it
for
trivia.
I
didn't
know
there
was
a
thing
like
sometimes
I'm
talking
to
people
in
like
even
github,
on
the
open
source
team,
and
they
mentioned
things
to
me.
Like
I
didn't
know,
it
existed.
D
B
B
B
Whatever
it
does,
if
you're
trying
to
speak
and
read
at
the
same
time,
so
you
can
basically
specify
different
like
things
that
shouldn't
be
included
or
things
that
should
be
included
into
that
manifest
right.
So,
for
example,
let's
say
you
only
want
to
allow
people
to
use
for
services
cluster
ap.
You
could
specify
this
through
regular
and
say
only
cluster
ip
can
be
used
as
a
type
as
a
service
type.
Anything
else
can't
be
used.
B
B
D
D
B
Drop
in
okay
awesome,
so
then
how
do
I
get?
I
want
to
change
too
there's
tracy
and
I
want
to
look
at
trevi
now
at
starboard,
where
starboard,
let's
go
back,
so
what
you
do
with
starwood
and
that's
kind
of
where
I
see
the
main
difference
and
oh
engine
I
think,
was
in
the
car
now
like
was
here
somewhere
or
in
the
chat.
I
think
you
join
cool
that
you
contributed
if
you're
still
here
yeah.
B
B
Different
scans,
that
are
custom,
thesis
definitions
and
they
show,
as
part
of
like
ask
cubanita's
resources.
They
show
your
vulnerabilities
and
everything
that
came
like
out
in
those
scans.
So,
for
example,
instead
of
like
well,
we
use
trivia
or
we
just
use
trevi
to
scan
our
container
image,
and
our
file
system
for
vulnerabilities
you
can
use
starboard
will
also
do
vulnerability
scans,
but
then
display
the
output
as
custom
resist
definitions,
so
you
have
them.
B
As
cuban
needs
resources,
we
can
take
a
look,
I'm
going
to
show
you
that
in
a
second,
how
that
looks
like
but
yeah,
so
you
basically
have
the
kubernetes
operator
and
the
command
and
going
to
the
this
is
in
rough.
Like
I
mean
this
isn't
very
like
I
would
say
more
detail,
actually
how
how
it
all
works.
I'm
not
going
to
go
into
detail
in
this,
because
I
think
this
is
a
really
detailed
drawing
of
how
it
works.
I
can
make
a
more
high
level
drawing
we
can
talk
about.
B
If
that's
interesting,
but
yeah
you
have
basically
within
the
operator,
you
have
different
options.
You
can
either
use
directly
cube,
cuddle
or
helm.
I
never
used
the
operator
lifecycle
manager,
so
that
might
be
interesting
but
yeah.
I
used
how
many
to
deploy
the
operator
select
operator
so
right
now
I
have
in
my
clusters.
I
have
an
example.
Cluster
running
and
I
have
did
I
lose
the
connection.
B
B
Access
it,
so
I
can
show
you
everything,
that's
installed
and
I
that's
why
I
kind
of
want
to
use
aggro
as
well,
because
so
right
now
I
have
within
through
argo
cd.
I
have
starboard
installed
the
starboard
operator
and
then
the
starboard
exporter,
and
which
we're
going
to
talk
about
in
a
second
and,
as
you
can
see,
like
hugo
city,
can't
really
like
control
the
custom
visas,
definitions
that
are
used
for
for
starboard.
B
That's
why
they
are
yellow
it's
not
that
something
is
out
of
place,
but
basically
so
you
have
the
starboard
operator,
that's
living
within
the
starboard
system,
namespace,
and
you
will
tell
the
starboard
operator
which
namespaces
it
should
control
and
scan
for
and
then,
for
example,
when
I
deploy
an
application
once
I
deploy
the
application,
I
will
run
automatically
the
config
audit
reports
and
the
vulnerability
reports
are
my
application
like
on
my
deployment
now.
The
thing
is
that,
but
the
interesting
thing
is
I.
B
I
found
it
interesting
when
I
got
started
that
each
of
those
vulnerability
reports.
They
are
part
of
the
life
cycle
of
the
deployment
itself,
so
you
delete
the
deployment
and
the
resource
is
gonna.
Be
deleted
as
well,
which
I
think
is
really
nicely
visualized
through
aguacity
that
it's
it's
not
like.
Those
reports
that
you
get
are
going
to
be
part
of
your
deployments
versus
of
your
of
of
the
operator
itself.
If
that
makes
sense
so
whenever
I
would
update
the
container
image,
that's
run
within
this
application.
B
A
B
So
it
does
it
automatically
the
starboard
operator.
Does
it
automatically
like?
All
I
did
really
was,
was
deploy
the
starboard
operator
so,
and
let
me
show
you
how
I
deploy
that
so
it's
like
all
I
did
was
here.
I
go
cd
starboard.
Can
you
see
this?
Is
this
big
enough?
So
this
is
all
I
did.
It's
just
the
helm
chart
right,
so
I
specified
the
first
of
all
the
starboard
operator
from
this
repository
chat
repository
and
I
installed
it
to
the
argo
cd
namespace
this
resource,
because
it's
managed
by
aguacd.
B
So
rbcd
will
then
know
where
to
take
the
chart
from
and
which
chart
and
which
version
of
the
chart,
and
then
it
can
apply
the
specific
values
that
I
want
to
change.
So
in
this
case
I
told
it
I
want
to
have
the
target
namespace
my
app
namespace
within
my
cluster
look
at
my
kubernetes
cluster
and
similar
to
to
treaty.
B
I
can
say
I
can
specify
additional
like
flags
such
as
ignore
and
fix
like.
I
don't
want
to
know
about
any
unfixed
vulnerabilities
because
they
just
noise
from
me
when
I'm
when
I'm
looking
at
my
vulnerability
reports.
So
then,
that's
going
to
be
deployed
like
the
helm
chart
is
going
to
be
deployed
within
my
cluster,
which
I
can
show
you
here
as
well
going
to
add.
B
So
when
I
define
custom
policies,
I
would
how
would
it
work
through
starboard
so
through
trivi?
What
I
would
I
guess
I
would
apply
them
part
of
it
as
part
of
the
values.
I
would
say,
here's
the
custom
policy
file
that
I
want
to
use
like
as
part
of
trivia,
but
we
could.
We
can
look
actually
at
the
helm,
values
so
going
to
is
the
starboard.
Where
am
I
no?
This
is
trivi.
B
B
B
A
A
B
A
B
B
Yeah
I
mean
you
could
set
policies
before
you
actually
go
ahead
and
write
like
some
things
that
you
might
want
to
enforce
all
the
time
right,
but
and
then
the
vulnerabilities
would
be
more
so
the
way
I
see
vulnerabilities
like
once
you
get
the
reports
on
the
vulnerabilities.
It's
it
already
happened
right
like
but
yeah
for
the
vulnerabilities
and
misconfigurations
you
would
see
which,
which
misconfigurations
are
present
within
your
class
and
which
ones
you
want
to
like
what
enforcement
like
about
policies,
yeah,
you're
right.
B
D
B
Yeah,
I
think
you
can
do
it.
I
had
a
conversation
with
about
something
similar
with
somebody,
but
I
think
you
would
do
it
in
your
if
you
want
to
do
it
through
your
deployment
like
when
you're,
when
your
deployment
happens,
you
would
do
it
for
a
trip.
I
would
do
it
for
trivia.
I
guess
that
I
basically
say
if
you
can
specify
a
futuri
like
that
it
should
return
like
an
error
code
and
then,
like
the
deployment,
should
fail.
The
pipeline
should
fail.
B
D
B
F
F
So
if
it's
got
vulnerabilities
above
critical
or
above
medium
or
high
or
whatever
you
want
yeah
and
you
can
define
custom
policies
based
on
different
environments,
so
you
can
be
a
bit
more
relaxed
with
dev,
so
you
can
define
that
quality
which
says,
mediums
and
highs
are
okay,
no
criticals
and
in
production
you
can
be
a
bit
stricter
and
that's
that's
kind
of
that.
That's
the
stuff
you
get
with
aqua
enterprise,
otherwise
you
have
to
you
could
probably
cobble
it
all
together
using
the
open
source
components,
but
just
a
bit
more
more.
F
A
F
Is
it
clean
or
is
it
not
and
it'll
fail
it
based
on
that,
and
obviously
that's
a
call
back
to
the
enterprise
product,
but
it
could
be
a
hook
to
trivial,
something
like
that
and
scan
it
on
the
fly,
obviously
slow
things
down
a
little
bit
or
you
can
build
your
own
whatever
you
want
off
the
back
of
it
basically
and
we've
just
obviously
done
the
work
to
to
do
that.
But
it
is
just
using
the
admission
controller
in
kubernetes.
F
F
F
E
B
Yeah,
so
what
I
wanted
to
basically
show
is
that
I
just
deployed
the
the
starboard
operator
and
the
starboard
exporter
is
external
right.
Now,
that's
also
great,
now
created
by
externally
by
some
by
another
team.
They
created
that
generally.
So
so
I've
deployed
those
two
and
have
running
inside
my
cluster.
B
That's
reporting
on
is
the
the
vulnerability
reports
like
what
vulnerabilities
have
been
found
in
so,
for
example,
I
have
here
20
high
vulnerabilities
in
in
my
I
think
in
my
cluster,
or
is
it
just
in
my
application?
Not
just
it's
just
the
app
name,
space
yeah,
it's
just
for
my
from
the
application.
My
react:
application
running
in
my
app
name
space.
That's
like
the
the
vulnerabilities
that
it
found.
B
So
you
can
then
also
like
create
nice
dashboards
that
I
haven't
gotten
to
yet,
where
you
display
all
of
that
right,
yeah-
and
you
can
also-
I
mean,
alternatively,
you
can
also
just
go
to
where
is
it
to
your
cluster
and
just
look
for
vulnerability
report?
And
then
you
should
see
a
vulnerability
report
and
now
it's
installed
system,
namespace,
so
namespace
and
in
the
app
name
space
I
could
have
just
gotten
all
and
want
to
ability
report,
and
then
I
will
see
the
vulnerability
to
put
so.
B
If
I
change
the
deployment
it
will,
the
starboard
operator
will
spin
up
a
new
job
and
that
will
basically
scan
to
a
one-time
scan
on
my
new
deployment
like
if
I
change,
for
example,
the
image
tag
here
off
of
my
deployment
but
yeah.
It's
it's
really
a
high
level,
because
I
want
to
go
like
over
all
of
the
tools
and
we
might
get
stuck
in
tracy
as
well.
B
B
That
I
have
my
all
my
monitoring
stuff
and
then
the
starboard
operator
and
the
starboard
exporter
and
my
application,
and
I
tell
starboard,
which
namespace
to
monitor
now.
It
can
also
make
cluster
white
scans
and
pen
tests
on
my
cluster
and
things
like
that
through
established
foodstuff
or
operator
as
well.
C
It's
it's
okay,
so
yeah!
I
I
just
asked-
and
maybe
you
explained
it
before
and
I
missed
it
and
could
you
show
maybe
how
we
can
exchange
the
compliance
part
of
starboard
from
polaris
to
conf
test
and
how
to
upload
a
rego
policy
into
this
contest?
Because,
to
be
honest
I
did
not
understand
the
documentation,
and
I
hope
that
maybe
you
can
show
this
in
a
simple
I
don't
know
deny
whatever.
B
B
B
Answer
this
question:
yeah,
let
me
help
you
tomorrow,
in
figuring
that
out.
Okay,
thanks
in
updating
me
updating
the
documentation
right.
This
is
great
feedback
that
it's
not
clear
on
how
to
update
from
polaris
to
confidence.
So,
basically,
starboard
is
using
lots
of
different
scanners
to
get
the
information
into
custom,
resist
definitions,
yeah,
that's
how
you
can
envision
it.
I
envision
it.
I
guess.
C
Just
one
question
to
this
configuration
checker:
are
there
any
plans
to
include
maybe
what
cubescape,
for
example,
because
so
how
is
it
for
additional
checkers,
for
example,
cubescape
from
ammo,
for
example,
because
their
results
are
also
quite
interesting?
Are
there
any
plans
or
is
it
something
I
could
do
for
them,
because.
B
B
The
goal
is
to
expand
the
types
of
checks
that
it's
it's
doing,
so
you
can
run
different
out
of
the
box
different
type
of
of
scans,
depending
on
what
your
application
has
to
comply
with
that's
kind
of
the
goal
or
like
moving
into
that
direction.
So
it's
I
haven't
like
looked
into
detail
comparison
between
starboard
and
and
cubescape
yet,
so
I
can't
really
comment
on
that.
If
you
can
see
like,
if
you
see
benefit
and
having
kubescape
integrated,
you
can
definitely
open
up
an
issue
and
propose
your
thoughts.
C
C
B
D
One
last
question:
okay,
only
last
question
and
then
we
go
into
tracing
give
a
report,
so
it's
also
possible
to
get
it
via
cli
right,
so
you're
not
forced
to
get
it
from
prometheus.
You
can
use
for
starbucks,
ctl
or
control,
and
we
enter
there
for
reports.
It's
like
a
convenient
way
to
use
it,
but
you
don't
want
to
get
about
matrix.
Can.
B
D
C
C
B
D
B
B
B
So
tracy
is
runtime
security
and
it
uses
under
the
hood
edpf
and
no
I'm
super
new
to
evpf
and
anything.
That's
it's
basically
running
below
my
application.
If
that
makes
sense,
but
what's
cool
with
tracy
is
that
you
can
basically
have
it,
for
example,
running
within
your
classroom
and
then
either
check
for
specific
processes
like
if
there
are
specific
calls
made
by
an
application
or
by
somebody
within
the
cluster,
then
it
can,
for
example,
alert
you.
B
So
if
somebody
is
using
some
debugging
processes
within
your
cluster
and
that's
kind
of
what
the
is
for,
but
I
can't
run
it
right
now
on
my
laptop
because
I
have
an
m1,
so
it
I,
I
will
show
you
in
the
cluster
like
some
examples
on
how
you
can
use
tracy,
so
you
can
either
use
it
directly
from
the
binary
or
you
can
use
it
for
a
container
as
well.
And
so,
if
you
have,
if
you
don't,
if
you
have
like
a
intel
based
machine,
then
you
can
run
these
commands.
B
So
you
can,
for
example,
run
this
and
then
in
one
terminal
and
then
run
in
another
one
straight
ls,
and
then
you
can
kind
of
see
like
an
example
of
it.
That's
how
you
could
replicate
it,
but
the
thing
is
why
you
would
want
to
use
tracy,
for
example,
is
when
you
or
like
evpf-
and
you
want
to
have
when
you
want
to
monitor
processes
that
are
within
the
kernel
space,
so
other
you
can
do
it
with
kind
of
a
or
like
some
demons
demon
sets
right.
B
That's
how
you
call
them
can
kind
of
can
do
similar
monitoring,
but
then
they
go
like
kind
of
back
and
forth
between,
like
the
part
they
are
in
and
like
and
and
the
underlying
infrastructure
versus
with
tracy
it.
It
can
kind
of
live
within
within
the
kernel
space
itself
and
and,
for
example,
monitor
what's
going
on
there
in
in
very
simple
terms,
so
you
can
like
monitor
processes.
B
There
are
also
lots
of
other
use
cases
I
still
have
to
dig
into
that
are
more
like,
for
example,
resource
usage
by
different
applications
that
you
can
monitor.
That's
also
interesting
for
observability
that
you
can
monitor,
which
application
you
use,
how
many
resources
what
is
like
and
then
have
alerting
based
on
like
if
there
are
any
visual
spikes
and
things
like
that
as
well.
So
there
are
lots
of
use
cases
we
have
as
a
main
use
case
kind
of
security
or
focus.
B
I
mean
tracy
own
security,
but
there
are
also
other
use
cases
that
I
plan
to
showcase
in
future
demos
as
well.
I
know
what
I
did
is
to
to
use
tracy
and
kind
of
show
you
some
some
parts
is
that
you
basically
so
in
here,
I'm
locked
into
one
of
my
notes
from
my
cluster
one
of
my
demo
notes
and
then
oh,
oh,
no!
This
is
not
good.
Okay!
Let
me
what
is
what
just
happened.
B
Okay,
maybe
let
me
close
this
and
log
in
again,
you
gotta
get
notes,
and
then
I
found
a
tool
called
cube,
cuddle
note,
no,
not
noteshell,
and
you
can
kind
of
what
it
does.
I'm
going
to
show
you
in
a
second,
so
here
that's
basically
it
cube
color,
no
shell,
and
then
it's
opening
up
a
container
within
your
cluster.
That
has
additional
privileges,
so
you
can
basically
access
the
node
now
on
here.
I
can
now
run
the
tracy
command
that
I
showed
you.
B
Now
I
have
to
remember
the
commands
somebody
showed
me
right
before
this
call.
So
what
happens?
If
I
run
this,
there
was
an
error
if
I
would
just
run
it
like
this.
This
is
the
error,
so
we
kind
of
found
a
workaround,
and
this
is
specific
to
to
to
google
that
they
have
a
modified
version
of
their
linux,
that
they
run
on
their
notes,
which
prevents
right
now
tracy
from
working
out
of
the
box.
B
That's
what
we
found
out
right
before
this
call,
or
like
kind
of
when
I
was
setting
it
up
earlier
today.
Now
what
you
can
do
is,
if
I
say,
trace
it's
gonna
trace
or
it's
supposed
to
trace.
I
think
it's
basically
like
showing
everything
that's
happening
within
that
note.
Right
now
is
like
oh
boom
right.
B
All
of
this
is
system
calls
that,
like
all
of
the
default
ones,
are
shown
right
now
now
you
can
also,
let's
list
does
that
do
again,
so
here
it
right
now
shows
just
the
default
system
calls,
but
you
can
also
like
filter
for
specific
system,
calls
that
you
want
to
monitor.
So
these
are
like
all
of
the
ones
that
they
can
monitor
out
of
the
box.
It's
a
long
list,
and
this
is
kind
of
what
tracy
does
as
it's
like.
B
B
B
C
A
A
A
B
B
B
B
A
B
A
B
D
B
So
it
has
a
set
of
of
rules.
A
set
of
these
are
called
signatures
and
they
basically
define
what
tracy
is
supposed
to
look
for
right
and
it
has
several
rules
out
of
the
box
that
defines
how
like
what
things
is
it
supposed
to
look
for,
and
the
thing
is
with,
with
tracy
and
and
falco,
they
kind
of
use,
different
rules
and
from
what
I've
heard.
B
When
I
don't
quote
me
on
this,
the
falco
is
more
high
level
in
like
the
things
that
it's
that
it's
monitoring,
but
you
can
use,
for
example,
tracing
to
together
with
falco
sidekick
or
with
our
posty.
So
you
could
integrate
with
the
follicle
side.
Kick
no.
I
haven't
done
that.
Yet
I
think,
but
with
so
tracy
is
basically
just
it
has
different
it's
different
in
in
some
aspects
and.
A
B
B
Yeah
so
offering
rules
you
can
either
do
it
for
rego
or
for
go
as
well,
and
then
you
can
kind
of
like
create
your
own
signatures
of
like
things
that
it's
supposed
to
look
for,
but
basically
the
signatures
that
tracy
has,
as
far
as
I
know,
are
based
on,
like
the
the
research
like
what
the
research
team
at
aqua
finds
and
things
should
be,
should
be
looked
at
by
tracy.
As
far
as
I
know,.
D
D
A
B
A
Think
I
think
the
the
really
great
thing
is
that
you
can
either
use
them
in
a
combined
integrated
way
the
open
source
tools
or
you
just
use
them
as
standalone
scanners
on
your
terminal
or
on
your
cluster.
You
can
play
around
with
them
without
being
overwhelmed
by
too
many
terms
and
technology
and
stuff,
and
then
move
on
and
like
building
lego
bricks,
somehow
pulling
it
all
together
and
making
everything
more
secure.
A
B
So
just
when
you're
using
starboard
like
if
you
identify
like
a
use
case
or
you
are
using
starboard
already-
and
you
have
a
use
case-
just
writing
down
the
steps
and
sharing
them
in
a
pr,
and
it
doesn't
have
to
be
perfect
right
but
like
right
now
we're
just
really
building
up
that
content.
So
that's
like
what
I
would
refer
you
to
of
like.
B
B
A
B
A
Smaller
issues
and
ways
to
learn
the
code
if
you're
familiar
with,
I
think
trivia's
written
everything
is
written
in,
go
like
getting
familiar
with
the
code
base,
the
code
style,
maybe
reading
existing
pr's,
which
have
been
merged
already
to
get
a
feel
of
how
things
are
implemented.
Maybe
this
is
something
I
do.
I'm
reading
the
git
history
and
the
commits
to
see
the
the
thought
process
and
the
design
process
to
like
get
a
feel
of
what
is
needed.
What,
where
could
I
start
implementing
my
own
changes?.
B
Yeah,
that's
that's
great.
We're
definitely
like,
please
do
do
contribute
if
you
were
lost.
Please
message
me,
and
we
also
have
a
slack
channel
where
you
can
reach
out
to
us
and
ask
questions
about
each
tool
and
yeah,
and
we
can
help
you
get
started
as
well,
but
yeah
documentation
is
is
something
that
we
would
love
to
have
everybody's
input
on
this
code
photo
went
well
we're
using
slack.
E
B
So
right
now
they
are
all
kind
of
separate
resources
in
your
kubernetes
cluster,
so
you
would
have
to
filter,
for
example,
through
the
exporter
that
I
showed
earlier
for
those
different
ones.
You
can
use.
Also
the
if
you
want
to
have
some
some
ui
visualization
you
can
use,
for
example,
lens
now.
You
can
also
have
reports
as
pdf
that's
kind
of
more
visualized
yeah,
but.
E
B
B
E
C
F
Starboard
was
built
to
make
our
lives
easier.
Basically,
so
it
used
to
be
that
the
functionality
of
starboard
partly
lived
inside
of
aqua
enterprise,
and
we
saw
there
was
definite
value
of
kind
of
releasing
that
as
an
open
source
project
and
and
it
acts
as
kind
of
the
linchpin
that
pulls
all
this
stuff
together.
So
we've
been
a
aqua
enterprise
is
kind
of
a
series
of
components,
but
the
main
one
was
the
console
effectively
the
server
and
it
was
busy
doing
everything.
F
So
it
was
a
way
of
kind
of
offloading
all
that
cue
bench
cube
hunter
starboard,
tracy
stuff
to
something
that
could
manage
it
independently
and
obviously
open
source
just
makes
sense
for
someone
like
that
to
kind
of
keep
the
pace
of
development
and
it
made
it
cheaper
for
us,
so
that's
kind
of
the
history.
That's
why
we
break
out
like
that,
but
it
it
kind
of
when
you
deploy
aqua
console
you,
you
don't
even
know
it
but
you're
getting
starboard
by
default,
because
everything
hangs
off
of
that.
B
B
Just
gonna
stop
sharing
yeah,
so
that's
the
overview.
We
also
have,
if
you're
interested,
to
learn
more
about
the
details
of
treev.
We
have
a
live
stream
or
if
you
have
any
questions
or
how
to
contribute
how
to
get
started.
We
have
a
live
stream
this
thursday,
on
tv,
on
the
open
source
channel
on
youtube
as
well.
So
you
can
join
us
there
too.
Yeah.