Skip to content

feat(security): continuously ingest Kubescape findings — SARIF→Code Scanning gate + CRD→issue bridge #2451

Description

@devantler

🤖 Generated by the Daily AI Assistant

Part of #2447.

Problem

Even once the scanners are fixed, live Kubescape findings (posture regressions, new reachable CVEs, runtime detections) never enter the work backlog — the daily engineer's survey is GitHub-only, so findings only get worked if a human files them. This is the structural reason the whole stack rotted unnoticed. We need continuous, idempotent ingestion so findings become tracked issues the engineer drains oldest-first, and a pre-merge gate so regressions never land.

Proposed direction (full loop — settled with the maintainer)

Two complementary paths (repo is public, so GitHub Code Scanning is available and already in use — CodeQL, zizmor):

  1. Prevention gate (repo-scannable posture): add a Kubescape SARIF scan step that uploads to GitHub Code Scanning on PRs (native dedup via partialFingerprints, auto-close-when-gone, Security tab). This complements the existing ksail workload scan compliance-threshold gate. Model the workflow on .github/workflows/todos.yaml (App-token + a reusable workflow targeting devantler-tech/actions, never reusable-workflows).
  2. Backlog bridge (live-only findings): a scheduled job that reads the live Kubescape CRDs a static repo scan can't produce — vulnerabilitymanifestsummaries, runtime node_agent_alert_counter state, and any residual configurationscansummaries regressions — and opens/updates/closes fingerprint-deduped, themed security issues under roadmap: Kubescape security stack → 100% and hold (posture · CVE · runtime) #2447 (one issue per control/theme, not per resource; search-before-create; close-when-gone). This is what makes findings drainable oldest-first.

Anti-spam is the hard part: get idempotency + fingerprinting right or it floods. Start the bridge in report-only/dry-run, then enable issue writes.

Rough size

L — decompose into: (a) SARIF→Code-Scanning PR gate; (b) the CRD→issue bridge (dedup/fingerprint/close-when-gone); (c) Kyverno-Enforce graduation of controls driven to zero.

Acceptance criteria

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions