You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Even once the scanners are fixed, live Kubescape findings (posture regressions, new reachable CVEs, runtime detections) never enter the work backlog — the daily engineer's survey is GitHub-only, so findings only get worked if a human files them. This is the structural reason the whole stack rotted unnoticed. We need continuous, idempotent ingestion so findings become tracked issues the engineer drains oldest-first, and a pre-merge gate so regressions never land.
Proposed direction (full loop — settled with the maintainer)
Two complementary paths (repo is public, so GitHub Code Scanning is available and already in use — CodeQL, zizmor):
Prevention gate (repo-scannable posture): add a Kubescape SARIF scan step that uploads to GitHub Code Scanning on PRs (native dedup via partialFingerprints, auto-close-when-gone, Security tab). This complements the existing ksail workload scan compliance-threshold gate. Model the workflow on .github/workflows/todos.yaml (App-token + a reusable workflow targeting devantler-tech/actions, never reusable-workflows).
Backlog bridge (live-only findings): a scheduled job that reads the live Kubescape CRDs a static repo scan can't produce — vulnerabilitymanifestsummaries, runtime node_agent_alert_counter state, and any residual configurationscansummaries regressions — and opens/updates/closes fingerprint-deduped, themedsecurity issues under roadmap: Kubescape security stack → 100% and hold (posture · CVE · runtime) #2447 (one issue per control/theme, not per resource; search-before-create; close-when-gone). This is what makes findings drainable oldest-first.
Anti-spam is the hard part: get idempotency + fingerprinting right or it floods. Start the bridge in report-only/dry-run, then enable issue writes.
Rough size
L — decompose into: (a) SARIF→Code-Scanning PR gate; (b) the CRD→issue bridge (dedup/fingerprint/close-when-gone); (c) Kyverno-Enforce graduation of controls driven to zero.
Acceptance criteria
Kubescape SARIF appears in the repo Security tab on PRs; posture regressions surface pre-merge.
Part of #2447.
Problem
Even once the scanners are fixed, live Kubescape findings (posture regressions, new reachable CVEs, runtime detections) never enter the work backlog — the daily engineer's survey is GitHub-only, so findings only get worked if a human files them. This is the structural reason the whole stack rotted unnoticed. We need continuous, idempotent ingestion so findings become tracked issues the engineer drains oldest-first, and a pre-merge gate so regressions never land.
Proposed direction (full loop — settled with the maintainer)
Two complementary paths (repo is public, so GitHub Code Scanning is available and already in use — CodeQL, zizmor):
partialFingerprints, auto-close-when-gone, Security tab). This complements the existingksail workload scancompliance-threshold gate. Model the workflow on.github/workflows/todos.yaml(App-token + a reusable workflow targetingdevantler-tech/actions, neverreusable-workflows).vulnerabilitymanifestsummaries, runtimenode_agent_alert_counterstate, and any residualconfigurationscansummariesregressions — and opens/updates/closes fingerprint-deduped, themedsecurityissues under roadmap: Kubescape security stack → 100% and hold (posture · CVE · runtime) #2447 (one issue per control/theme, not per resource; search-before-create; close-when-gone). This is what makes findings drainable oldest-first.Anti-spam is the hard part: get idempotency + fingerprinting right or it floods. Start the bridge in report-only/dry-run, then enable issue writes.
Rough size
L — decompose into: (a) SARIF→Code-Scanning PR gate; (b) the CRD→issue bridge (dedup/fingerprint/close-when-gone); (c) Kyverno-
Enforcegraduation of controls driven to zero.Acceptance criteria
securityissues under roadmap: Kubescape security stack → 100% and hold (posture · CVE · runtime) #2447, auto-closed when resolved; no issue spam.Enforceso they can't regress at admission.