Grafeas filtering /Kritis integration

[Petko Petkov]

Hello All, 

I'm recent Grafeas user and I see so much potential in this project. 

I'm trying to implement CI/CD for container scanning images, storing the CVEs in Grafeas and making binary decision using Kritis whenever the image is safe to deploy based on the policy. I'm planing on having one project, then storing all CVEs as notes and then different image versions as occurrences. 

Is there a way to search or filter in Grafeas for a given image name and get all CVEs ?

How is Kritis integrating with Grafeas? Could I deploy it standalone in kubernetes cluster? 

Any help would be much appreciated. Thanks in advance.    

Regards,

Petko

[Balázs Gyurák]

Hi,

I am not familiar with the details of the Vulnerability Kind, but I have done a lot of work with Grafeas so I will attempt to answer. Note that I will talk about the "v1beta1" API version.

Is there a way to search or filter in Grafeas for a given image name and get all CVEs ?

Yes, you can specify a filter in your "ListOccurrencesRequest" request object. Have a look at the docs for the filtering.

How is Kritis integrating with Grafeas? Could I deploy it standalone in kubernetes cluster? 

Yes, you can. As for the how, it depends on the Kind. I've mainly worked with attestations. For those, Kritis queries Grafeas to fetch the list of attestations for a given image. In your case, I believe what you need are ImageSecurityPolicies. Have a look at Kritis' code for exact details on how the integration happens.

Thanks

Balazs

[Petko Petkov]

Thanks Balázs Gyurák, it should be enough to get me started.