This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Features
OpenClarity provides a wide range of features for asset scanning and discovery:
- Dashboard
- Fixable vulnerabilities per severity
- Top 5 vulnerable elements (applications, resources, packages)
- New vulnerabilities trends
- Package count per license type
- Package count per programming language
- General counters
- Applications
- Automatic application detection in K8s runtime
- Create/edit/delete applications
- Per application, navigation to related:
- Resources (images/directories)
- Packages
- Vulnerabilities
- Licenses in use by the resources
- Application Resources (images/directories)
- Per resource, navigation to related:
- Applications
- Packages
- Vulnerabilities
- Packages
- Per package, navigation to related:
- Applications
- Linkable list of resources and the detecting SBOM analyzers
- Vulnerabilities
- Vulnerabilities
- Per vulnerability, navigation to related:
- Applications
- Resources
- List of detecting scanners
- K8s Runtime scan
- On-demand or scheduled scanning
- Automatic detection of target namespaces
- Scan progress and result navigation per affected element (applications, resources, packages, vulnerabilities)
- CIS Docker benchmark
- CLI (CI/CD)
- SBOM generation using multiple integrated content analyzers (Syft, cyclonedx-gomod)
- SBOM/image/directory vulnerability scanning using multiple integrated scanners (Grype, Dependency-track)
- Merging of SBOM and vulnerabilities across different CI/CD stages
- Export results to OpenClarity backend
- API
Runtime environment
The following table lists all supported environments and asset types that can be discovered and scanned by OpenClarity.
| Environment | Asset Type | Scope |
| Docker | Containers, Container Images | Docker Daemon |
| Kubernetes | Containers, Container Images | Cluster |
| AWS | Virtual machines | All VMs accessible by credentials |
| Azure | Virtual machines | All VMs accessible by credentials |
| GCP | Virtual machines | All VMs accessible by credentials |
| Local (OS) | Containers, Container Images, Container Image Archives, Filesystem | All assets accessible by OS |
Scanning
The following table lists all supported scanners that can be used when performing a scan on an asset, such as a container image or a directory.
| VMClarity | KubeClarity | OpenClarity |
| SBOM generation and analysis | ✅ | ✅ | ✅ |
| Syft | ✅ | ✅ | ✅ |
| Trivy | ✅ | ✅ | ✅ |
| cyclonedx-gomod | ✅ | ✅ | ✅ |
| Windows Registry | ✅ | ❌ | ✅ |
| Vulnerability detection | ✅ | ✅ | ✅ |
| Grype | ✅ | ✅ | ✅ |
| Trivy | ✅ | ✅ | ✅ |
| Dependency Track | ❌ | ✅ | ❌ |
| Exploits | ✅ | ❌ | ✅ |
| ExploitDB | ✅ | ❌ | ✅ |
| Secrets | ✅ | ❌ | ✅ |
| Gitleaks | ✅ | ❌ | ✅ |
| Malware | ✅ | ❌ | ✅ |
| ClamAV | ✅ | ❌ | ✅ |
| Yara | ✅ | ❌ | ✅ |
| Misconfiguration | ✅ | ✅ | ✅ |
| Lynis | ✅ | ❌ | ✅ |
| CIS Docker Benchmark | ✅ | ✅ | ✅ |
| Rootkits | ✅ | ❌ | ✅ |
| Chrootkit | ✅ | ❌ | ✅ |
| Plugins | ✅ | ❌ | ✅ |
| KICS | ✅ | ❌ | ✅ |
Integrated SBOM Generators and Vulnerability Scanners
OpenClarity content analyzer integrates with the following SBOM generators:
OpenClarity vulnerability scanner integrates with the following scanners:
1 - Kubernetes Scanning
For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.
Asset Discovery
The OpenClarity stack supports the automatic discovery of assets in Kubernetes:
2 - Docker Scanning
For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.
Asset Discovery
The OpenClarity stack supports the automatic discovery of assets in Docker:
| Asset types | Scope | Installation |
| Docker containers and images | Local Docker daemon | Deploy on Docker |
3 - AWS Scanning
For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.
Asset Discovery
The OpenClarity stack supports the automatic discovery of assets in AWS:
| Asset types | Scope | Installation |
| Virtual machines (EC2 instances) | Account (all regions) | Deploy on AWS |
4 - GCP Scanning
For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.
Asset Discovery
The OpenClarity stack supports the automatic discovery of assets in GCP:
| Asset types | Scope | Installation |
| Virtual machines | Project | Deploy on GCP |
5 - Azure Scanning
For details on performing runtime scans with OpenClarity, see the First Tasks on the UI.
Asset Discovery
The OpenClarity stack supports the automatic discovery of assets in Azure:
6 - Scanner Plugins
Plugins provide additional scanning capabilities to OpenClarity ecosystem.
Project structure:
- runner - Provides necessary logic to manage scanner plugins in OpenClarity.
- sdk - Language-specific libraries, templates, and examples to aid with the implementation of scanner plugins.
- store - Collection of available plugins that can be directly used in OpenClarity.
Requirements
Scanner plugins are distributed as containers and require Docker Engine on the host that runs the actual scanning via
OpenClarity CLI to work.
Support
List of supported environments:
- AWS
- GCP
- Azure
- Docker
List of unsupported environments:
- Kubernetes - We plan on adding plugin support to Kubernetes once we have dealt with all the security considerations.
Note: Plugin support has been tested against OpenClarity installation artifacts for the given environments.
Usage
You can start using plugins via Plugins Store.
For example, you can pass the .families.yaml scan config file defined below to the OpenClarity CLI scan command.
This configuration uses KICS scanner to scan /tmp dir for IaC security misconfigurations. See the KICS documentation for further information.
# --- .families.yaml
plugins:
enabled: true
scanners_list:
- "kics"
inputs:
- input: "/tmp"
input_type: "rootfs"
scanners_config:
kics:
image_name: "ghcr.io/openclarity/openclarity-plugin-kics:latest"
config: "{}"
SDKs
You can use one of available SDKs in your language of choice to quickly develop scanner plugins for OpenClarity.
List of supported languages:
7 - Cost Estimation
Available in version 0.6.0 and later. Currently, this feature is exclusively available on AWS.
You can get a preliminary cost estimation before initiating a security scan with OpenClarity. This helps you plan and budget your security assessments more effectively, ensuring that you have a clear understanding of the financial implications before taking action.
To start a new estimation, complete the following steps.
-
Create a new resource called ScanEstimation in the API server. For example, if your POST’s body is the following JSON, it will estimate an SBOM scan on your workload with id i-123456789.
Use the same same scanTemplate in the ScanEstimation than in the ScanConfiguration.
{
"assetIDs": ["i-123456789"],
"state": {
"state": "Pending"
},
"scanTemplate": {
"scope": "contains(assetInfo.tags, '{\"key\":\"scanestimation\",\"value\":\"test\"}')",
"assetScanTemplate": {
"scanFamiliesConfig": {
"sbom": {
"enabled": true
}
}
}
}
}
-
Retrieve the object from the <apiserver IP address>:8888/scanEstimations endpoint, and wait for the state to be Done. The totalScanCost of the summary property shows your scan’s cost in USD:
{
"assetIDs":[
"d337bd07-b67f-4cf0-ac43-f147fce7d1b2"
],
"assetScanEstimations":[
{
"id":"23082244-0fb6-4aca-8a9b-02417dfc95f8"
}
],
"deleteAfter":"2023-10-08T17:33:52.512829081Z",
"endTime":"2023-10-08T15:33:52.512829081Z",
"id":"962e3a10-05fb-4c5d-a773-1198231f3103",
"revision":5,
"scanTemplate":{
"assetScanTemplate":{
"scanFamiliesConfig":{
"sbom":{
"enabled":true
}
}
},
"scope":"contains(assetInfo.tags, '{\"key\":\"scanestimation\",\"value\":\"test\"}')"
},
"startTime":"2023-10-08T15:33:37.513073573Z",
"state":{
"state":"Done",
"stateMessage":"1 succeeded, 0 failed out of 1 total asset scan estimations",
"stateReason":"Success"
},
"summary":{
"jobsCompleted":1,
"jobsLeftToRun":0,
"totalScanCost":0.0006148403,
"totalScanSize":3,
"totalScanTime":12
},
"ttlSecondsAfterFinished":7200
}