Skip to content

Lens Security#

Lens Pro subscription feature

Kubernetes does not natively provide easy visibility into container images or any vulnerabilities originating from those images running on a cluster. This information is typically distributed among multiple manifest files, resource descriptors, and centralized security scanning dashboards.

With Lens Security you can scan images in a cluster and see details of vulnerabilities associated with an image. Lens Desktop enables this feature by including Starboard, a security tool that finds and views risks that relate to different resources in a Kubernetes-native way.

Note

Image scanning on Windows requires Windows Subsystem for Linux (WSL2).

You can find vulnerabilities using one of the following methods:

  • Centralized cluster scanning
    The Starboard operator must be installed on the cluster to automatically scan the images. Lens simply shows the results of those scans.
  • Manual image scanning
    The Lens Desktop user scans cluster images manually with the embedded version of Starboard.

Important

For correct functioning of Lens Security, add the following domains to the firewall exceptions:

  • ghcr.io
  • pkg-containers.githubusercontent.com

Images view#

To see the scanning results or scan an image click Images in the Cluster navigation panel. The view contains graphs that show a summary of vulnerabilities and the scanning status of container images running in the cluster. You can also find the list of container images that currently run in a cluster. The table with images displays the following essentials:

  • Platform that an image is running on
  • Number of pods that use the image
  • Number of vulnerabilities by severity level
  • Current image status

Click an image in the table to open the Details panel where you can find more information about the container image.

Platforms display previous and current platforms. Current platforms are blue. Click a platform for details and history.

Vulnerabilities contain a summary and a table of detected image vulnerabilities. The table is interactive, you can click the vulnerability ID to find more information from one of the vulnerability databases. For example, the details of manual scanning are provided by the Aqua Vulnerability Database.

Tip

Image vulnerability data is also available when observing pod and deployment details in the corresponding views.

Centralized automated scanning#

Lens Desktop fetches security scan information using the following external tools:

With Starboard Operator installed to your cluster, Starboard automatically scans all images in a cluster.

MSR automatically scans the images hosted in the MSR repositories. Having access to the MSR API, Lens Desktop can fetch vulnerability scan results from the corresponding database.

Note

The parameters of automatic image scanning depend on Starboard and MSR configurations.

Automated scanning with the Trivy Operator tool#

Another way to automate security scanning is to install Trivy Operator:

  1. Navigate to File > Preferences > Kubernetes > Helm Charts and click Add Custom Helm Repo.
  2. In the Add custom Helm Repo dialog, paste the following link into the URL input field: https://aquasecurity.github.io/helm-charts/ and click Add.
  3. In the cluster view, navigate to Namespaces and create the following namespace: trivy-system.
  4. Navigate to Helm > Charts, find and click the trivy-operator chart and, in the following dialog, click Install.
  5. In the Helm Install tab, specify the following parameters and click Install:
    • Namespace: trivy-system
    • Name: <name-of-the-release>

The Trivy Operator scans namespaces specified in the OPERATOR_TARGET_NAMESPACES parameter. The default value is the blank string (""). See the Configuration article in official Trivy documentation.

Scanning in air-gapped environments#

Lens Desktop supports work in air-gapped environments. For vulnerability scanning in an air-gapped environment, you can download the vulnerability database and use it on a machine that does not have internet access.

To download the vulnerability database using Lens Desktop:

  1. On an internet-connected machine, navigate to File > Preferences > Lens Security and click Export Current DB.
  2. Transfer the downloaded lens-vulnerability-db.tar.gz file to an air-gapped machine.
  3. On the air-gapped machine, navigate to File > Preferences > Lens Security and click Import DB.

Note

You can also download the vulnerability database using the Trivy security scanner. For details see Trivy documentation: Air-Gapped Environment.

Manual scanning#

To perform manual scanning:

  1. In the Cluster navigation panel, open the Images tab.
  2. From the images list, select an image you need to scan and click Options > Scan image.