Kritis

Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, and in a subsequent release, Grafeas.

Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been whitelisted:

imageWhitelist:
- gcr.io/my-project/whitelist-image@sha256:<DIGEST>
packageVulnerabilityPolicy:
  maximumSeverity: HIGH
  whitelistCVEs:
    providers/goog-vulnz/notes/CVE-2017-1000082
    providers/goog-vulnz/notes/CVE-2017-1000082

In addition to the enforcement this project also contains signers that can be use to create Grafeas Attestation Occurrences to be used in other enforcement systems like Binary Authorization. For details see Kritis Signer.

Getting Started

Learn the concepts in the Kritis whitepaper
Get Kritis running with the Installation guide
Try the Tutorial to learn how to block vulnerabilities
Read the Resource Reference to configure and interact with Kritis resources
Resolve image tags to hashes using the resolve-tags plug-in

Contributing

See CONTRIBUTING for details on how you can contribute.

See DEVELOPMENT for details on the development and testing workflow.

License

Kritis is under the Apache 2.0 license. See the LICENSE file for details.

About

Software supply chain security for #Kubernetes apps

https://grafeas.io/docs/concepts/what-is-kritis

Apache License 2.0

Languages

Language:Go 86.3%Language:Shell 6.5%Language:Makefile 2.9%Language:Dockerfile 2.2%Language:Python 1.8%Language:Smarty 0.3%