• Stars
    star
    699
  • Rank 64,759 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Deploy-time Policy Enforcer for Kubernetes applications

Kritis

GoDoc Widget [BuildStatus Widget][BuildStatus Result] GoReport Widget

Kritis logo

Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, and in a subsequent release, Grafeas.

Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been allowlisted:

imageAllowlist:
- gcr.io/my-project/allowlist-image@sha256:<DIGEST>
packageVulnerabilityPolicy:
  maximumSeverity: HIGH
  allowlistCVEs:
    - providers/goog-vulnz/notes/CVE-2017-1000082
    - providers/goog-vulnz/notes/CVE-2017-1000081

In addition to the enforcement this project also contains signers that can be used to create Grafeas Attestation Occurrences to be used in other enforcement systems like Binary Authorization. (TODO#571: add doc and fix link) For details see upcoming doc Kritis Signer.

Getting Started

Support

If you have questions, reach out to us on kritis-users. For questions about contributing, please see the section below.

Contributing

See CONTRIBUTING for details on how you can contribute.

See DEVELOPMENT for details on the development and testing workflow.

License

Kritis is under the Apache 2.0 license. See the LICENSE file for details.