I would like to ask about the capabilities of Greenbone/OpenVAS regarding cloud infrastructure scanning.
We are currently using a cloud environment that includes managed Kubernetes services (managed Kubernetes clusters provided by a cloud vendor), and I would like to understand the best approach for vulnerability assessment in such environments.
Could you please clarify:
Is it possible to scan workloads and nodes inside a managed Kubernetes cluster using Greenbone/OpenVAS?
Are there any official integrations or best practices for Kubernetes discovery and vulnerability scanning?
Can authenticated scanning be used against worker nodes in managed Kubernetes platforms?
Do you support scanning containerized applications and Kubernetes services exposed internally only?
Additionally, if you have documentation or reference architectures for scanning cloud infrastructures with managed Kubernetes, I would highly appreciate it.
gvmd has new features for container registry scanning and agent-based scanning. However, these are not available in the Community Containers or Kali-native installation.
To use them you must currently compile from source and adjust the compile options and enable these features in the gvmd configuration file. Scanning the internal runtime of running containers is still not possible, however, without saying too much there are plans to implement such features in the future.
For anyone compiling gvmd from source and wanting to enable the optional container scanning and agent features, use the current Greenbone Community source-build documentation for the full cmake commands and required install variables. Also make sure you are building the most recent available gvmd version.
In addition to the documented gvmd CMake options, pass these additional feature flags:
-DENABLE_CONTAINER_SCANNING=1
-DENABLE_AGENTS=1
After compiling and installing, the runtime feature flags must also be enabled in the active gvmd.conf file:
Note that config/gvmd.conf.in in the source tree is only the template. The effective runtime file must be gvmd.conf in the configuration path used by the installation.
These new scan options will allow container security scanning pre-deployment and also support cloud environments where networks are be restrictive against traditional authenticated scans.