Kaniko (Executor) Sentinel One Flagging Jobs MITRE T1078, T1070, T1156, T1554, and T1083

[davew723]

We started evaluating the use of Kaniko for building container images as a possible way to displace shell/docker runners exposing elevated access. We are leveraging Kaniko via a K8S Cluster with GitLab CI Runners install running the Kaniko container. Our container is based on https://repo1.dso.mil/dsop/opensource/kaniko/kaniko ironbank image with cert updates for our network. All jobs are getting flagged by Sentinel One a NOT MITIGATED / SUSPICIOUS threat. Even a simple job that just builds a container based on a single FROM line end RUN echo hi. Just beginning investigation of risk in use. Threats being flagged are ...

MITRE T1078, T1070, T1156, T1554, and T1083

[imjasonh]

I have no idea where that image comes from, or their process for vetting or vouching for images. You may want to file an issue at https://repo1.dso.mil/dsop/opensource/kaniko/kaniko/-/issues to see if they know more about these findings.

In any case, it looks like they're still building upon a pretty old Kaniko image -- v1.8.0 was released this week, and they have an open issue to pick it up.

[davew723]

There Dockerfile is using 'FROM gcr.io/kaniko-project/executor:v1.8.0-debug as upstream'. The base an ubi8 image which we have verified is clean. There are a couple other packages included I will examine. The reports are directly about the executor.

I will test this projects official 1.8 image to verify the if the issues follow this project and provide an update back.

(Ironbank attempts to provide vetted images to a wide community. Their kaniko image is still under review. I will reach out to them to understand the status. I'm speculating its not approved because of these issues.)

[aaron-prindle]

@davew723 were you able to resolve the issues you were seeing with flagged vulns using the https://repo1.dso.mil/dsop/opensource/kaniko/kaniko/-/issues image?