►
From YouTube: StackRox Community Meeting #18 - 2023-09-12
Description
The StackRox community meetings are held on the second Tuesday of every month. We use this time to get together and discuss gaps in the product and how best to move forward. Contributors are rewarded with StackRox gear as the RoxStar of the month.
- If you want to learn more about the project, head to StackRox.io
- The project's code repository can be found at https://github.com/stackrox/stackrox
A
All
right
welcome,
welcome,
stack,
Rocks,
open
source
Community.
This
is
the
September
community
meeting
I'm
Mike
Foster
Community
lead
along
with
Matthias
medinger,
my
co-leader,
and
we
have
a
packed
day
for
you,
4.2
releases
coming
out
next
week,
so
we
want
to
go
through
some
of
the
updates
for
that
General,
open
floor
discussion
and,
of
course,
announcing
a
cloud
service
free
trial,
so
I'm
just
gonna
get
right
into
it.
There's
a
60-day
free
trial
for
ACS
cloud
service.
That's
the
paid
version!
A
So
if
you
ever
want
to
evaluate
stack,
rocks
the
open
source
again
do
the
same
product,
you
just
don't
have
to
manage
Central
yourself.
Do
you
want
to
go
and
test
it
out
before
maybe
deep,
diving
into
the
open
source?
Community
welcome
to
do
that.
You
of
course
get
support
with
that
too.
Even
though
we
try
to
answer
what
we
can
to
slack
Channel,
we
don't
always
get
to
it
on
time,
which
is
why
we
have
this
session.
A
So
again,
I
dropped
a
link
in
the
community
notes.
If
you
want
to
check
it
out
other
than
that,
the
other
big
news
is
4.2
got
moved
a
week.
It
was
supposed
to
be
yesterday.
It
got
moved
to
next
Monday,
so
Matisse
is
going
to
take
us
through
all
the
notes,
but
ACS
4.2
next
Monday
I'm
gonna,
give
us
the
updated
handing
over
to
you.
B
Yeah,
so
that's
as
with
this
update,
one
of
the
main
reasons
why
we
are
usually
not
communicating
fixed
AIDS,
as
opposed
to
just
saying
it
will
be
out
mid-september.
Things
can
always
happen
and
we
prioritize
the
stability
of
our
product
above
holding
dates.
So
engineering
made
the
decision
to
move
the
forwarder
to
release
one
week
back
from
the
originally
planned
release
date,
but
we
are
also
shipping
with
a
whole
lot
of
features
so
starting
off
with
postgresql.
So
this
has
been
in
the
making
for
quite
some
time.
B
We
started
with
4.0
with
this
one,
and
now
we
can
actually
announce
the
general
availability
for
a
central
DB
as
well.
So
if
you
are
using
postgray,
you
can
actually
bring
your
own
database
to
run
as
Central
DB
and
besides
that,
we
also
have
changes
to
the
vulnerability
management
workflow.
So
the
vulnerability
management
is
something
that
has
been
also
in
the
rework
for
quite
some
time
now
and
if
I
remember
correctly,
the
what
we
do
amongst
other
small
changes
is,
you
can
use
new
vulnerability
management
policy
criteria.
B
So,
for
example,
you
can
search
for
is
this
CV?
Are
there
cves
that
are
fixable
that
we
found
in
our
product,
so
there's
new
criteria
to
filter
vulnerability
management
data
with
the
next
specs?
The
thing
for
General
availability
is
rhcos
node
scanning.
So
if
you
run
stack,
rocks
or
ACs
on
openshift
or
any
node
that
runs
a
red
hat
chorus,
we
will
be
able
to
completely
analyze
all
the
install
packages
and
also
provide
cve
information
about
the
node
itself
and,
speaking
of
maybe
more
secure
things.
B
Acs
is
Now,
supported
on
ocp
running
in
fips
mode
and
with
that
said,
I
think
Foster.
You
can
I
I'm
not
entirely
sure
on
the
fips
mode.
If
you
want
to
go
and
Enlighten
us
a
little
bit
on
that
one,
oh
really
throw
me
under
the.
B
A
Like
federal
information
processing
standard,
thank
you.
Yes,
it's
one
Google
search
away.
It's
a
government
standard
ocp
has
been
certified
for
this
and
so
ACS
as
well.
A
It's
there's
like
certain
levels
of
Securities
like
level
one
is
you
do
certain
amount
of
processes
you
all
the
way
up
to
level
four?
So
if
you're
fully
certified
and
fips,
that
means
you're
the
highest
level.
I'll
put
a
link
in
the
document
for
people
who
want
to
find
out
more
as
well,
but
just
in
general,
hey
Kong,
thanks
for
joining
another
one.
I'll
lead
you
off
with
a
process
listening
on
ports,
it's
a
very
exciting
feature.
A
That's
getting
an
update,
so
this
originally
came
out
in
four
one
correct
with
yes
and
then
the
updates.
What's
the
update
in
four
two.
B
The
update
is,
we
now
have
a
menu
in
our
web
interface
to
actually
provide
the
information,
so
we
have
yeah
right
so
up
until
now.
The
information
that
we
that
which
listening
endpoints
deployment
or
container
or
pod
uses
was
only
accessible
through
the
API,
but
now
we
also
have
a
web
UI
entry,
which
is
called
listening.
Endpoints,
so
have
keep
an
eye
out
in
the
web,
your
IFR,
the
listening,
endpoints
menu
or
submenu.
B
It
will
list
you
all
the
ports
that
the
deployment
or
pod
is
actually
using,
and
so
it's
not
only
about
which
ones
it
defines,
but
this
is
actually
runtime
collected
information
on
which
ports
connections
happened
and
speaking
of
which
collection
of
this
information
is
actually
done
through
multiple
different
ways
by
our
collector
and
one
of
the
next
GAE
announcements
is
core
BPF.
So
one
of
the
our
newest
and
and
most
flexible
collection
method
for
general
information
to
the
state
is
now
generally
available
available
for
all
X
60
X
8664
and
S
300
390x
architectures.
A
And
for
context,
it's
compile
wants,
run
everywhere,
bbpf
modules,
so
this
alleviates
engineering
effort.
It
also
alleviates
the
amount
of
support
that
we
can
give
to
the
various
nodes
and
customers
out
there,
and
so
that's
coming
out
for
the
first
time
in
4-2
now
correct
so
kernel
modules
got
deprecated
with
4-0
core
BPF.
Is
that
going
to
be
the
standard
that
we
recommend
customers
and
users
to
use
moving
forward,
correct.
B
Going
forward
with
this
GA
announcement,
the
core
BPF
collection
method
is
the
default
selection
and
is
our
recommendation.
How
users
and
customers
should
collect
data
in
their
clusters
and
speaking
of
actually
General
clusters
and
workloads,
we
have
our
Stack
Rock
scanner,
which
is
able
to
scan
your
workloads
for
for
a
security
flaws
and
possible
fixes,
and
we
also
expanded
its
capabilities.
So
the
scanner
is
now
able
to
scan
Ubuntu,
22304
and
010,
as
well
as
Debian,
12
and
Alpine
3.18.
A
B
And
and
honestly,
the
notes
scanning
is
exciting
and
I'm
very
much
looking
forward
to
exp
to
hopefully
expand
the
scanning
capabilities
to
more
node
OSS
as
well.
But
for
now
we
are
primarily
focused
on
workload,
os's,
so
container
OSS,
which
means,
for
example,
Ubuntu
minimal,
and
that
said,
we
have
one
more
announcement
to
make,
and
that
might
be
a
little
bit.
One
of
her
controversial
ones,
which
is
we
will
introduce
with
this
release,
opt
out
Telemetry
and
usage
data
collection,
and
this
has
been
in
the
past.
B
Let
this
has
led
to
trouble
to
for
open
source
projects
in
the
past.
So
we
actually
tried
to
make
this
in
a
sensible
Manner
and
also
we
don't
want
to
basically
sell
any
user
data
or
anything
like
that.
So
to
put
that
out
of
the
way.
First,
we
are
not
collecting
user
data
to
sell
it
or
to
process
it
by
Third
parties
or
sell
it
to
third
parties.
We
are
collecting
usage
data
and
and
Telemetry
data,
because
we
as
Engineers
actually
have
trouble
well
getting
feedback.
B
Basically,
because
redhead
is
a
very
big
organization
and
getting
direct
feedback
from
customers
and
users
is
a
little
bit
harder.
The
bigger
the
organization
is
so
what
we
will
do
is
we
will?
We
will
collect
information,
General
Telemetry
about
your
deployments.
A
Also,
just
to
jump
in
here
we
want
to
the
main
purpose
is
to
be
proactive
instead
of
reactive
with
customers.
Instead
of
you
coming
as
a
user
onto
the
slack
Channel
and
stack,
rocks
and
saying,
hey
I,
have
this
issue
we'll
be
able
to
see
the
crash
data
a
lot
easier?
It
gets
sent
to
us
and
it's
one
way
that
the
open
source
Community
helps
make
the
product
better
and
it
allows
you
not
to
have
to
open
up
a
slack
Channel
every
time.
Something
went
wrong
right.
We
can
see
that
data.
A
We
can
go
in
and
actually
understand
it
a
little
bit
better.
Instead
of
having
to
go
back
and
forth
in
GitHub
issues
for
four
hours
going
back
and
forth
right,
so
it
it
really
is
for
the
better
of
the
product
in
just
the
usage
case.
That
is
the
the
main
goal
and
again
being
proactive
in
terms
of
what
Integrations
we
support
who's
using
what
allowing
us
to
scale
a
lot
better
by
seeing
if
somebody's
using
an
open
source
cluster,
that's
massive
and
they're
having
performance
issues
or
something
like
that.
A
B
What
I
also
want
to
emphasize
on
is
the
data
that
we
collect
is
completely
anonymized,
so
we
do
not
know
who
is
running
this
cluster,
what
the
namespaces
are
called
or
any
or
your
workloads
or
anything
like
that.
We
do
not
know
at
all
about
these
things.
In
general,
I
have
collected
all
the
data
that
we
collect
and
I
will
pay
I'm
I'm
pasting
these
in
the
meeting
notes
and
also
in
the
meeting
notes.
B
I
will
be
sharing
the
link
to
our
documentation,
how
to
actually
opt
out
of
data
collection
and
also
the
direct
link
to
GitHub
to
the
piece
of
code
where
you
can
actually
see
what
we
collect.
So
we're
not
trying
to
hide
anything.
If
you
are
interested
in
looking
up
what
we
collect,
there
is
a
link
to
the
GitHub
page.
You
can
take
a
look
and
see
for
yourself
what
we
collect
and
what
we
do
with
that
data.
B
A
And
again,
next
meeting
will
be
the
second
Tuesday
next
month.
So
if
you
have
any
questions
we'll
address
them
there,
anything
that
comes
up
feel
free
to
drop
in
the
slack
Channel
as
well,
and
there
is
going
to
be
a
what's
new.
So
even
though
we
I
just
outlined
all
of
the
updates,
Boaz
and
acspm
and
myself
are
going
to
clip
it
for
you
in
about
eight
to
ten
minutes,
it'll
be
on
YouTube.
A
If
you
want
to
get
the
full
rundown
next
Monday
with
the
with
the
the
release,
notes,
that'll
be
live
for
you
again
next
Monday
on
the
YouTube
channel
onto
the
last
Point
general
questions,
so
August
seemed
like
a
pretty
quiet
month.
I
only
found
three
questions
in
the
slack
Channel.
Some
of
them
were
answered,
but
I
just
wanted
to
bring
them
up
here
to
Stack
Rock
support.
Opa
Rego
Rigo
rules
similar
to
new
Vector,
supports
Opa
rules,
I'm,
not
familiar
that
new
Vector
does
it.
A
However,
there
is
no
support
for
Opa
rules
in
ACS.
You
can
still
set
up
some
sort
of
policy
based
off
of
ACS
scans,
like
new
Vector
said
in
that
article,
it's
basically
new
Vector
was
doing
a
scan
and
then
initiating
an
Opa
policy
rule
in
kubernetes
based
off.
If
it
like,
failed
or
passed
or
depending
on
how
vulnerable
it
is
or
not
vulnerable,
you
can
trigger
specific
rules.
You
can
do
that
with
ACS
as
well.
Just
a
little
bit
of
hacking
in
your
Pipelines.
A
B
This
is
into
it
definitely
more
of
user
usability
issues.
So
as
far
as
I'm
concerned
of
I
just
checked
right
before
this
meeting,
we
do
not
have
any
capabilities
to
to
filter
the
findings
that
we
have
so
yes
grab
and
grab
with
the
rec
X
feels
like
a
hack,
and
it
is,
but
until
we
actually
Implement
any
kind
of
filtering
I
guess
that's
the
way
to
go,
and
also
there.
A
B
A
This
is
kind
of
a
cop-out,
I
think
yeah
I
was
going
to
say
I
think
for
the
security
team.
The
developer
team
is
probably
the
one
where
they're
like
we
just
want
to
inform
the
developers
when
there's
something
critical
that
is
in
their
code,
but
Mike,
look
forward
to
more
information.
I
might
open
up
an
issue,
see
if
there's
something
internal
that's
been
opened
because
I
don't
think
that
you're
the
first
person
to
run
into
this
last
one
Oliver
B
had
a
syslog
issue.
Sometimes
I
see
the
error.
Max
message
is
8096.
A
B
I
I'm
not
entirely
sure
if
we
even
have
a
Max
message
size,
there
might
be
a
technical
limitation
by
the
protocols
and
systems
involved,
but
stack
rocks
or
ACS
itself,
depending
on
what
kind
of
messages
you
get.
For
example,
if
you,
if
you,
if
you,
if
you
crawl,
all
the
vulnerability
data
or
all
the
violations
that
we
have
found
since
the
moment,
you
started
the
product,
the
answer
will
be
rather
large,
so
I
am
not
entirely
sure
if,
besides
technical
limitations,
we
have
a
Max
message
limit,
but
we
can
look
that.
A
Up
I'll
follow
up
and
see
if
we
can
get
an
answer
from
engineering
last
thing
open
floor,
I
know:
there's
two
people
on
the
call
with
us,
Matisse
and
I
were
talking
about
starting
a
little
demo
project,
so
anybody
in
the
open
source
community
that
wants
to
even
if
it's
you
know
four
two
four
three
after
the
least
before
the
release,
if
they
want
to
demo
a
feature
to
the
public,
come
to
the
open
floor,
give
a
quick
demo
of
whatever
you're
working
on
I'll
cut.
A
A
B
A
We
will
take
silence
as
a
no
but
again
I'm
gonna
drop
in
the
stack
rocks
chat
as
well
as
the
ACs
engineering
chat
to
see.
If
anybody
wants
to
take
me
up
in
the
offer,
I
will
cut
you
a
great
YouTube
thumbnail
and
make
you
look
great
on
YouTube.
So
again,
if
anybody
wants
to
practice
their
stack
rocks
demos,
let
me
know
and
other
than
that
we'll
see
you
October
12th
I
believe
I
just
want
to
check
to
do.
October
10th,
October
10th.
A
We
have
Sunday
on
the
first
next
month,
so
second
Tuesday
October
10th,
we'll
be
back
with
the
community
meeting
after
a
successful
4.2
launch.
Let's
see
if
you
want
to
take
us
away.
B
Sure
so,
thanks
all
for
watching,
I've
been
I
have
been
joined
by
Michael
Foster
and
my
wonderful
co-chair,
I'm
Matthias
meidinger
signing
off
so
folks.
As
always,
if
you
have
any
questions,
feel
free
to
open
a
GitHub
issue.
Stop
by
in
the
slack
Pingas
will
be
there
for
you
until
next
time
take
care.