docs: add kbom documentation (#5363)

aquasecurity · Oct 13, 2023 · 0c3e2f0 · 0c3e2f0
1 parent 6c12f04
commit 0c3e2f0
Show file tree

Hide file tree

Showing 6 changed files with 191 additions and 119 deletions.
diff --git a/docs/docs/coverage/index.md b/docs/docs/coverage/index.md
@@ -5,4 +5,5 @@ For more detailed information about the specific platforms and languages, check
 
 - [OS Packages](os/index.md)
 - [Language-specific Packages](language/index.md)
-- [IaC files](iac/index.md)
+- [IaC files](iac/index.md)
+- [Kubernetes clusters](./kubernetes.md)
diff --git a/docs/docs/coverage/kubernetes.md b/docs/docs/coverage/kubernetes.md
@@ -0,0 +1,22 @@
+# Kubernetes
+
+When scanning a Kubernetes cluster, Trivy differentiates between the following:
+
+1. Cluster infrastructure (e.g api-server, kubelet, addons)
+1. Cluster configuration (e.g Roles, ClusterRoles). 
+1. Application workloads (e.g nginx, postgresql).
+
+Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
+When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
+
+Container image is scanned for:
+- Vulnerabilities
+- Misconfigurations
+- Exposed secrets
+
+Kubernetes resource definition is scanned for:
+- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Misconfigurations
+- Exposed secrets
+
+To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md)
diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md
@@ -6,6 +6,8 @@ The following packages are supported.
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
 
+Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
+
 ## OS Packages
 Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
 
@@ -98,6 +100,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
+## Kubernetes
+
+Trivy can detect vulnerabilities in Kubernetes clusters and components.
+
+### Data Sources
+
+| Vendor        | Source                                                       |
+| ------------- | ------------------------------------------------------------ |
+| Kubernetes    | [Kubernetes Official CVE feed][^1]                           |
+
+[^1]: Some manual triage and correction has been made.
+
 ## Database
 Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
 Trivy uses two types of databases for vulnerability detection:
@@ -180,3 +194,5 @@ Currently, specifying a username and password is not supported.
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
 [nvd]: https://nvd.nist.gov/vuln
+
+[Kubernetes Official CVE feed]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/