As part of our software supply chain with KubeClarity series, we've covered all the foundational concepts for understanding the need for KubeClarity and the problems it can solve using SBOMs(Software Bill of Materials) and network vulnerability scanning to protect against software supply chain attacks. By now, you already have a high-level introduction to KubeClarity and where to find it. So In this blog post, I will take you through the internals of KubeClarity.

What you already know about KubeClarity

KubeClarity is a tool for detecting and managing Software Bill of Materials (SBOM) and vulnerabilities of container images and filesystems. A secure scan with KubeClarity will sort through runtime Kubernetes clusters and CI/CD pipelines to generate SBOM documents and vulnerability reports for enhanced software supply chain security.

What you may not know yet

What's up with the name KubeClarity? The KubeClarity project started with a focus on securing Kubernetes-based containerized deployments to improve visibility and clarity in securing supply chains.

Optimized for Kubernetes environments, KubeClarity can run in any containerized environment and scan clusters, pods, files, images, directories, RootFS, packages, and applications. You can run it both on-premises and in cloud environments  for system-wide network vulnerability scans.

SBOM analysis and vulnerability scans are definitive steps to securing software supply chains. However, running these tools can be complicated, and many unknowns exist. The KubeClarity software simplifies this process quite a bit for you.

KubeClarity can provide clarity on

• What is the best way to generate accurate SBOMs for vulnerability scanning?
• How do I ensure comprehensive discovery of all programming languages and package managers?
• How do I cater to various OS distributions?
• How do I track package dependency information in my runtime software, which is usually stripped upon build?
• Which is the best scanner/SBOM analyzer for specific programming languages and OS distributions?
• What needs a secure scan: Git repos, builds, container images, or runtime?
• What is the best time to scan it? Is it at development, build, deployment, or run times?
• How do I compare the results of various scanners- each scanner/analyzer has its own format and vulnerability databases?
• Once a secure scan is complete, how do I manage the discovered SBOM and vulnerabilities?
• What is the "blast radius" of a vulnerability? How does a vulnerability in my image or package affect my application?

The secret sauce of KubeClarity

KubeClarity can clarify and answer critical software supply chain security questions with its unique approach by optimizing the process for an accurate Software Bill of Materials (SBOM) detection and vulnerability scanning.

Several existing tools, like Syft, Trivy, Grype, etc., offer SBOM generation and or vulnerability scanning capabilities. Each tool uses specific formats and may be better suited to finding vulnerabilities in a specific programming language or OS distribution than the others. Some tools are only suitable for some types of scans or deployments. There isn’t a universal scanner or analyzer.

“KubeClarity's approach is not reinventing the wheel by creating another SBOM generator or vulnerability scanner, but maximizing the value and integrating popular open-source analyzers and scanners to create a comprehensive and accurate vulnerability analysis.”

It can be visualized as a union of SBOM analyzers and vulnerability scanners with pre-and post-processing modules to generate a universal SBOM and a vulnerability dependency graph to navigate and fix vulnerabilities. Figure-2 below shows the steps in generating universal SBOM and the vulnerability dependency graph.

Network vulnerability scanning features

KubeClarity's core features are expandable integrations, pluggable architecture, CI/CD pipeline automation, a user-friendly web portal, and developer API integrations. These are the ingredients that make KubeClarity unique:

1. Two-Phased Scanning:
   • Scan application resources/target content to generate SBOMs.
   • Scan the SBOMs for vulnerabilities.
2. Parallel Scanning Infrastructure with Pluggable Components:
   • Run multiple SBOM analyzers in parallel.
   • Run several vulnerability scanners in parallel.
3. Runtime Scans:
   • Scan to detect vulnerabilities discovered post-deployment.
   • Private registry scans and secrets management support.
4. Diverse Input Types:
   • Kubernetes clusters, pods, containers, files, images, directories, RootFS, packages, and applications.
5. Vulnerability Graph:
   • Group scanned resources (images/directories/packages) under defined applications.
   • Navigate the tree dependencies (applications, resources, packages, vulnerabilities)
6. Flexible Operations:
   • Multi-modal operations with the transferable state between CLI, UI, and APIs.
7. Custom Configuration & Filters:
   • Customizable configuration settings to support SBOM analysis and scanning.
   • Customizable filters to visualize vulnerability trends.
8. Exportable Reports:
   • Exporting all vulnerabilities to a CSV file allows automation and integration with a ticketing system like Jira.

Architecture

Future blog posts in this series will go deeper into the architecture but let's take a look at KubeClarity's high-level architecture first. The architecture diagram in Figure-3 below shows how to make the secret sauce.

KubeClarity modules

KubeClarity adopts a modular architecture with dedicated functional components that handle input scan requests via CLI/UI/API and then spawn worker jobs to run the scans and post the results to the relevant modules, as seen in Figure-3 above in the architecture diagram. Here is a list of key modules:

• Backend Module
• UI
• SBOM DB (For SBOM Storage)
• PostgreSQL KubeClarity DB
• Runtime Scan Orchestrator
• Centralized Scanners (optional) for storage efficiency

We will drill down into these modules and develop a deeper understanding of the design flows and API invocations in upcoming blog posts.

Implementation

The backend service is implemented in GO lang, and the front end is implemented in JavaScript. When you walk through the source code, you will notice that each backend component in the architecture diagram is organized as a GO module in the source code, so it should be straightforward to follow these functional components in the code and import them into your existing projects for integration as needed. In Figure-4 below, you can see a snapshot of the breakdown of source code composition :

Configuration

Change default configuration settings in values.yaml and customize deployments as needed. To enable and configure the supported SBOM generators and vulnerability scanners, set the "analyzer" and "scanner" config under the "vulnerability-scanner" sections. Regarding configurations, you can change one module's settings without affecting others unless two modules have a dependency, in which case the file will say so. It's easy to navigate and edit values.yaml as the config values are organized into sections, as shown below in Figure-5:

Deployments

Installation and deployment configurations are straightforward to run using Helm charts. In the next blog post, we will go through hands-on instructions for installation steps to bring up a KubeClarity deployment in a Kubernetes cluster and locally in your Docker environments. There are several flavors of installation options, including:

• Binary distribution
• Docker image
• Local compilation

Operations

UI

A user-friendly and intuitive UI portal that helps kickstart scheduled scans navigate contents of SBOM documents, and observe vulnerability scans with contextual filters. There is also an option to fire up UI for local testing with synthetic data sources.

CLI

There's a handy CLI you can run locally, which is great for CI/CD pipelines. It lets you generate SBOM and scan it for vulnerabilities based on images and directories, exporting results to the KubeClarity backend by transferring the state from CLI to the backend.

API

APIs expose all the functionality in the CLI and UI. Swagger API descriptions are great for integration and automation.

Advanced features & functionality

You can tweak more advanced knobs to customize your vulnerability scans. So we'll save the topics for after we dive deep into the architecture and installation.

Vulnerability scans and the role of KubeClarity

Putting it all together, Figure-6 below provides a mental map of KubeClarity and summarizes what it is, what it is not, and where it is valuable.

Next up

Are you getting restless to get your hands on KubeClarity? Well, the wait is over. Let’s get into the installation process right after this and get equipped with some hands-on instructions for vulnerability scanning.

Pallavi Kalapatapu is a Principal Engineer and open source advocate at Outshift, formerly Cisco’s Emerging Technology & Incubation organization.