-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add capability for correcting the Kyverno findings in Security Hub automatically #356
Comments
Hey, thanks for your feedback. Right, Policy Reporter currently only detects new events, not really changes or removals. Thats why it doesn't update stuff in e.g. Security Hub. I could try to implement it but it will never be 100% accurate, the problem is when the pod restarts or you do e.g. an upgrade. In this cases Policy Reporter doesn't have the previous state and don't know when a resource in between changed or was removed. This is something you could keep in mind. |
@fjogeleit in this case, maybe fields like titles itself could've be potentially configurable? |
Thanks for your feedback, I will see if theres something I could improve. |
Current state hardly would've be usable in scale in case if there's a bigger cluster and lots of policies violation ( which shouldn't be, but lets assume somebody just added new integration and now they've 1000 events where each is unique, generated - and they will continue to stream, some of these will naturally become outdated ) |
In generell the key is a combination of name/namespace/policy/rule and it should not create multiple events for the same violation. Not sure which impact the Title have. Admittedly I don't have much experience with SecurityHub because I am not a AWS user at all. I can still try to provide an webhook call for resolved violations but as mentioned it can't be 100% accurate but enough to reduce to much outdated entries. |
I implemented a first version of cleanup handler. In case of SecurityHub, PolicyReporter will fetch the current findings for a given resource and check which are no longer be part of the policy report, in this case the finding will be archived. The current implementation can have the following drawbacks:
Any feedback is welcome. |
Hello, everyone!
I'm excited about the recent update that enables Policy Reporter to send Kyverno findings directly to AWS Security Hub. I've successfully deployed and configured it for my environment.
While testing, I observed that when I remediated a policy violation in Kyverno, the corresponding finding in AWS Security Hub didn't automatically update its status to "Resolved". Currently, the finding remains in an open state, which can make it challenging to track the progress of policy violations over time.
I would like to propose an enhancement that allows Policy Reporter to update the status of findings in AWS Security Hub when the associated policy violation is fixed and no longer valid. This feature would provide a more comprehensive view of security compliance and streamline the workflow for addressing issues.
Is it possible to consider implementing this feature in a future release? Your support would be greatly appreciated.
Thank you!
The text was updated successfully, but these errors were encountered: