This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Features

OpenClarity provides a wide range of features for asset scanning and discovery:

  • Dashboard
    • Fixable vulnerabilities per severity
    • Top 5 vulnerable elements (applications, resources, packages)
    • New vulnerabilities trends
    • Package count per license type
    • Package count per programming language
    • General counters
  • Applications
    • Automatic application detection in K8s runtime
    • Create/edit/delete applications
    • Per application, navigation to related:
      • Resources (images/directories)
      • Packages
      • Vulnerabilities
      • Licenses in use by the resources
  • Application Resources (images/directories)
    • Per resource, navigation to related:
      • Applications
      • Packages
      • Vulnerabilities
  • Packages
    • Per package, navigation to related:
      • Applications
      • Linkable list of resources and the detecting SBOM analyzers
      • Vulnerabilities
  • Vulnerabilities
    • Per vulnerability, navigation to related:
      • Applications
      • Resources
      • List of detecting scanners
  • K8s Runtime scan
    • On-demand or scheduled scanning
    • Automatic detection of target namespaces
    • Scan progress and result navigation per affected element (applications, resources, packages, vulnerabilities)
    • CIS Docker benchmark
  • CLI (CI/CD)
    • SBOM generation using multiple integrated content analyzers (Syft, cyclonedx-gomod)
    • SBOM/image/directory vulnerability scanning using multiple integrated scanners (Grype, Dependency-track)
    • Merging of SBOM and vulnerabilities across different CI/CD stages
    • Export results to OpenClarity backend
  • API

Runtime environment

The following table lists all supported environments and asset types that can be discovered and scanned by OpenClarity.

EnvironmentAsset TypeScope
DockerContainers, Container ImagesDocker Daemon
KubernetesContainers, Container ImagesCluster
AWSVirtual machinesAll VMs accessible by credentials
AzureVirtual machinesAll VMs accessible by credentials
GCPVirtual machinesAll VMs accessible by credentials
Local (OS)Containers, Container Images, Container Image Archives, FilesystemAll assets accessible by OS

Scanning

The following table lists all supported scanners that can be used when performing a scan on an asset, such as a container image or a directory.

VMClarityKubeClarityOpenClarity
SBOM generation and analysis
     Syft
     Trivy
     cyclonedx-gomod
     Windows Registry
Vulnerability detection
     Grype
     Trivy
     Dependency Track
Exploits
     ExploitDB
Secrets
     Gitleaks
Malware
     ClamAV
     Yara
Misconfiguration
     Lynis
     CIS Docker Benchmark
Rootkits
     Chrootkit
Plugins
     KICS

Integrated SBOM Generators and Vulnerability Scanners

OpenClarity content analyzer integrates with the following SBOM generators:

OpenClarity vulnerability scanner integrates with the following scanners:

1 - Kubernetes Scanning

Perform Scan

For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.

Asset Discovery

The OpenClarity stack supports the automatic discovery of assets in Kubernetes:

Asset typesScopeInstallation
Docker containers and imagesClusterDeploy on Kubernetes

2 - Docker Scanning

Perform Scan

For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.

Asset Discovery

The OpenClarity stack supports the automatic discovery of assets in Docker:

Asset typesScopeInstallation
Docker containers and imagesLocal Docker daemonDeploy on Docker

3 - AWS Scanning

Perform Scan

For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.

Asset Discovery

The OpenClarity stack supports the automatic discovery of assets in AWS:

Asset typesScopeInstallation
Virtual machines (EC2 instances)Account (all regions)Deploy on AWS

4 - GCP Scanning

Perform Scan

For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.

Asset Discovery

The OpenClarity stack supports the automatic discovery of assets in GCP:

Asset typesScopeInstallation
Virtual machinesProjectDeploy on GCP

5 - Azure Scanning

Perform Scan

For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.

Asset Discovery

The OpenClarity stack supports the automatic discovery of assets in Azure:

Asset typesScopeInstallation
Virtual machinesSubscriptionDeploy on Azure

6 - Scanner Plugins

Plugins provide additional scanning capabilities to OpenClarity ecosystem. Project structure:

  • runner - Provides necessary logic to manage scanner plugins in OpenClarity.
  • sdk - Language-specific libraries, templates, and examples to aid with the implementation of scanner plugins.
  • store - Collection of available plugins that can be directly used in OpenClarity.

Requirements

Scanner plugins are distributed as containers and require Docker Engine on the host that runs the actual scanning via OpenClarity CLI to work.

Support

List of supported environments:

  1. AWS
  2. GCP
  3. Azure
  4. Docker

List of unsupported environments:

  • Kubernetes - We plan on adding plugin support to Kubernetes once we have dealt with all the security considerations.

Note: Plugin support has been tested against OpenClarity installation artifacts for the given environments.

Usage

You can start using plugins via Plugins Store. For example, you can pass the .families.yaml scan config file defined below to the OpenClarity CLI scan command. This configuration uses KICS scanner to scan /tmp dir for IaC security misconfigurations. See the KICS documentation for further information.

# --- .families.yaml
plugins:
  enabled: true
  scanners_list:
    - "kics"
  inputs: 
    - input: "/tmp"
      input_type: "rootfs"
  scanners_config:
    kics:
      image_name: "ghcr.io/openclarity/openclarity-plugin-kics:latest"
      config: "{}"

SDKs

You can use one of available SDKs in your language of choice to quickly develop scanner plugins for OpenClarity.

List of supported languages:

7 - Cost Estimation

Available in version 0.6.0 and later. Currently, this feature is exclusively available on AWS.

You can get a preliminary cost estimation before initiating a security scan with OpenClarity. This helps you plan and budget your security assessments more effectively, ensuring that you have a clear understanding of the financial implications before taking action.

To start a new estimation, complete the following steps.

  1. Create a new resource called ScanEstimation in the API server. For example, if your POST’s body is the following JSON, it will estimate an SBOM scan on your workload with id i-123456789.

    Use the same same scanTemplate in the ScanEstimation than in the ScanConfiguration.

    {
      "assetIDs": ["i-123456789"],
      "state": {
        "state": "Pending"
      },
      "scanTemplate": {
        "scope": "contains(assetInfo.tags, '{\"key\":\"scanestimation\",\"value\":\"test\"}')",
        "assetScanTemplate": {
          "scanFamiliesConfig": {
            "sbom": {
              "enabled": true
            }
          }
        }
      }
    }
    
  2. Retrieve the object from the <apiserver IP address>:8888/scanEstimations endpoint, and wait for the state to be Done. The totalScanCost of the summary property shows your scan’s cost in USD:

    {
       "assetIDs":[
          "d337bd07-b67f-4cf0-ac43-f147fce7d1b2"
       ],
       "assetScanEstimations":[
          {
             "id":"23082244-0fb6-4aca-8a9b-02417dfc95f8"
          }
       ],
       "deleteAfter":"2023-10-08T17:33:52.512829081Z",
       "endTime":"2023-10-08T15:33:52.512829081Z",
       "id":"962e3a10-05fb-4c5d-a773-1198231f3103",
       "revision":5,
       "scanTemplate":{
          "assetScanTemplate":{
             "scanFamiliesConfig":{
                "sbom":{
                   "enabled":true
                }
             }
          },
          "scope":"contains(assetInfo.tags, '{\"key\":\"scanestimation\",\"value\":\"test\"}')"
       },
       "startTime":"2023-10-08T15:33:37.513073573Z",
       "state":{
          "state":"Done",
          "stateMessage":"1 succeeded, 0 failed out of 1 total asset scan estimations",
          "stateReason":"Success"
       },
       "summary":{
          "jobsCompleted":1,
          "jobsLeftToRun":0,
          "totalScanCost":0.0006148403,
          "totalScanSize":3,
          "totalScanTime":12
       },
       "ttlSecondsAfterFinished":7200
    }