This plugin runs Black Duck image scans in order to allow developers/operators to scan already deployed images as well as about to be deployed images for open source security and license compliance. Just point and scan images in any namespace, third-party or your own yaml files, and helm charts. It also suggests image upgrades for outdated images. Check out the future section here for exciting coming soon features, including base image remediation, upgrade suggestions for outdated helm charts and more!
See demo images here
TODO: put video here
curl https://krew.sh/bd-xray | bash
# . ~/.bashrc # run if you use bash shell
# . ~/.zshrc # run if you use zsh shellgo build ./cmd/bd-xray/main.go
./bd-xray --helpgo run ./cmd/bd-xray/main.go --helpgo build ./cmd/bd-xray/main.go
mv ./bd-xray "/TODO-somewhere-in-your-path/kubectl-bd_xray"
kubectl plugin list
kubectl bd-xray --helpYou can download and use as a standalone binary.
download_path="./bd-xray"
version="v0.1.0"
curl --fail --location --output $download_path "https://github.com/blackducksoftware/kubectl-bd-xray/releases/download/${version}/kubectl-bd-xray_${version}_darwin_amd64.tar.gz"
chmod +x $download_path
$download_path --helpOr you can follow the below steps after the aboves steps to use it as a kubectl plugin
mv $download_path "/TODO-somewhere-in-your-path/kubectl-bd_xray"
kubectl plugin list
kubectl bd-xray --helpUse the --help flag with the root and/or any of the subcommands to find out more information
kubectl bd-xray --helpkubectl bd-xray namespace --help
NAMESPACE_NAME="TODO"
BLACKDUCK_URL="TODO"
BLACKDUCK_API_TOKEN="TODO"
kubectl bd-xray namespace $NAMESPACE_NAME --blackduck.url=$BLACKDUCK_URL --blackduck.api.token=$BLACKDUCK_API_TOKENkubectl bd-xray images --help
BLACKDUCK_URL="TODO"
BLACKDUCK_API_TOKEN="TODO"
kubectl bd-xray images ubuntu:18.04 alpine:3.8 --blackduck.url=$BLACKDUCK_URL --blackduck.api.token=$BLACKDUCK_API_TOKENkubectl bd-xray yaml --help
PATH_TO_YAML_FILE="TODO"
BLACKDUCK_URL="TODO"
BLACKDUCK_API_TOKEN="TODO"
kubectl bd-xray yaml $PATH_TO_YAML_FILE --blackduck.url=$BLACKDUCK_URL --blackduck.api.token=$BLACKDUCK_API_TOKENkubectl bd-xray helm --help
HELM_CHART="stable/atlantis"
BLACKDUCK_URL="TODO"
BLACKDUCK_API_TOKEN="TODO"
kubectl bd-xray helm $HELM_CHART --blackduck.url=$BLACKDUCK_URL --blackduck.api.token=$BLACKDUCK_API_TOKEN./release.sh -dgit tag v0.1.1
git push --taggit tag -d v0.1.0# NOTE: you have to use a tag that is already released, in order for krew-release-bot to get the SHA.
TAG_NAME=v0.1.1
docker run -v "$(pwd)/.krew.yaml:/tmp/template-file.yaml" rajatjindal/krew-release-bot:v0.0.38 krew-release-bot template --tag $TAG_NAME --template-file /tmp/template-file.yaml(For developers) To provide a custom plugin manifest, use the --manifest or --manifest-url arguments. Similarly, instead of downloading files from a URL, you can specify a local --archive file: kubectl krew install --manifest=FILE [--archive=FILE]
# kubectl krew install --manifest=".krew.yaml"
# kubectl krew install --manifest=".krew.yaml" --archive="./dist/kubectl-bd-xray_v0.1.0_darwin_amd64.tar.gz"- show difference in vulnerabilities between existing image and the suggested upgrade remediation image
- suggest upgrade remediation of base image
- suggest upgrade remediation for helm charts
- allow setting concurrency of scans (currently "infinite")
- multiple modes of operation
- concurrent scans locally with persistent docker container (currently already)
- concurrent scans in the cluster in same namespace, 1 job per image