Resolve Starboard vulnerabilities after scan
We want to implement Cluster image scanning vulnerability resolution.
- The Create Starboard vulnerability internal API endpoint now responds with the newly created vulnerability finding UUID.
- The Agent collects these UUIDs.
- After having created all vulnerabilities, it sends all collected UUIDs to the new Resolve Starboard vulnerabilities internal API endpoint.
We want to implement Cluster image scanning vulnerability resolution.
- The Create Starboard vulnerability internal API endpoint now responds with the newly created vulnerability finding UUID.
- The Agent collects these UUIDs.
- After having created all vulnerabilities, it sends all collected UUIDs to the new Resolve Starboard vulnerabilities internal API endpoint.
How to set up and validate locally
- Create a fresh project and commit an agent configuration:
# .gitlab/agents/gke/config.yaml
starboard:
  vulnerability_report:
    filters:
    - namespaces:
      - test-namespace- 
I tunneled my local KAS with ngrok.io, other tunnels work just as well, if there's no connectivity between cluster and KAS. 
- 
Register an agent to the project and deploy it. Then patch the Deployment's image and --kas-address:
@@ -37,7 +37,7 @@ spec
       - args:
         - --token-file=/config/token
         - --kas-address
-        - grpc://127.0.0.1:8150
+        - grpc://8.tcp.ngrok.io:11439
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -49,7 +49,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.name
-        image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:stable
+        image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:3bc5634
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3- Apply the vulnerabilityreports CRD (unless Starboard is already installed in the cluster):
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/main/deploy/crd/vulnerabilityreports.crd.yaml- Apply a vulnerabilityreport that contains one vulnerability and, in a Rails console, confirm the vulnerability exists in detected state:
kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-1.yamlpry(main)> Project.last.vulnerabilities.pluck(:state)
=> ["detected"]- Apply another vulnerabilityreport that contains one additional vulnerability:
kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-2.yamlpry(main)> Project.last.vulnerabilities.reload.pluck(:state)
=> ["detected", "detected"]- Apply another vulnerabilityreport that does not contain the first vulnerability:
kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-3.yamlProject.last.vulnerabilities.reload.pluck(:state)
=> ["resolved", "detected"]Edited  by Dominic Bauer