Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, and in a subsequent release, Grafeas.
Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been allowlisted:
imageAllowlist:
- gcr.io/my-project/allowlist-image@sha256:<DIGEST>
packageVulnerabilityPolicy:
maximumSeverity: HIGH
allowlistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081In addition to the enforcement this project also contains signers that can be used to create Grafeas Attestation Occurrences to be used in other enforcement systems like Binary Authorization. For details see Kritis Signer.
- Watch the talk on Software Supply Chain Management with Grafeas and Kritis.
- Learn the concepts in the Kritis Whitepaper.
- Try out Kritis with standalone Grafeas by following Standalone Mode Tutorial
- Try the Tutorial to learn how to block vulnerabilities using GCP Container Analysis.
- Read the Resource Reference to configure and interact with Kritis resources.
If you have questions, reach out to us on kritis-users. For questions about contributing, please see the section below.
See CONTRIBUTING for details on how you can contribute.
See DEVELOPMENT for details on the development and testing workflow.
Kritis is under the Apache 2.0 license. See the LICENSE file for details.