Runtime Security Scanning
Runtime Security Scanning
Implement runtime scanning for active workloads:
# Script to scan all running images in cluster
#!/bin/bash
# runtime-scanner.sh
NAMESPACES=$(kubectl get ns -o jsonpath='{.items[*].metadata.name}')
for ns in $NAMESPACES; do
echo "Scanning namespace: $ns"
# Get all unique images in namespace
IMAGES=$(kubectl get pods -n $ns -o jsonpath='{.items[*].spec.containers[*].image}' | \
tr ' ' '\n' | sort -u)
for image in $IMAGES; do
echo " Scanning image: $image"
# Trivy scan
trivy image --quiet --severity CRITICAL,HIGH "$image" > /tmp/scan-result.txt
if [ $? -ne 0 ]; then
echo " WARNING: Vulnerabilities found in $image"
# Create Kubernetes event
kubectl create event security-scan-failed \
--namespace=$ns \
--type=Warning \
--reason=VulnerabilitiesFound \
--message="Image $image has security vulnerabilities" \
--field-path="spec.containers{$image}"
fi
done
done