Scanning Tools

Konarr uses industry-standard security scanning tools to generate Software Bill of Materials (SBOM) and detect vulnerabilities in container images. The agent supports multiple tools, each with specific capabilities and features.

Implementation: Tool integration is implemented in src/tools with specific implementations for Syft, Grype, and Trivy. The tool catalogue system is in src/utils/catalogue.

Supported Tools

Konarr supports three primary scanning tools:

Syft

Syft is an open-source SBOM generation tool from Anchore that catalogs software packages and dependencies across various formats.

Features:

  • SBOM Generation: Creates comprehensive Software Bill of Materials in multiple formats (SPDX, CycloneDX)
  • Multi-Language Support: Detects packages from NPM, Cargo, Deb, RPM, PyPI, Maven, Go, and more
  • Container Layer Analysis: Scans all layers of container images
  • File System Cataloging: Analyzes installed packages, language-specific packages, and binaries
  • Fast Performance: Optimized for quick scanning of large images

Konarr Implementation:

  • Primary tool for SBOM generation
  • Auto-install supported in agent
  • Cataloger scope can be configured (all-layers, squashed)
  • Path exclusion support for temporary directories

Links:

Grype

Grype is a vulnerability scanner from Anchore that matches packages against known CVE databases.

Features:

  • Vulnerability Detection: Scans software packages for known vulnerabilities
  • Multiple Database Sources: Uses multiple vulnerability databases including NVD, Alpine SecDB, RHEL Security Data
  • SBOM Analysis: Can scan SBOMs generated by Syft or other tools
  • Severity Filtering: Filter results by vulnerability severity (critical, high, medium, low)
  • Format Support: Works with all Syft-supported package formats
  • Regular Updates: Vulnerability database updates automatically

Konarr Implementation:

  • Used for vulnerability scanning after SBOM generation
  • Auto-install supported in agent
  • Configurable severity thresholds
  • Option to ignore fixed vulnerabilities

Links:

Trivy

Trivy is a comprehensive security scanner from Aqua Security that detects vulnerabilities, misconfigurations, and secrets.

Features:

  • Multi-Format Scanning: Detects vulnerabilities in OS packages, language dependencies, and application dependencies
  • Container Image Scanning: Comprehensive container image analysis
  • IaC Scanning: Scans Infrastructure as Code files (Terraform, CloudFormation, Kubernetes)
  • Secret Detection: Finds exposed secrets and credentials
  • Misconfiguration Detection: Identifies security misconfigurations
  • SBOM Support: Can generate and consume SBOMs in multiple formats

Konarr Implementation:

  • Alternative security scanning tool with broader detection capabilities
  • Auto-install supported in agent
  • Configurable database update behavior
  • Timeout settings for long-running scans

Links:

Tool Selection

Selecting a Tool

You can configure which tool the agent uses through environment variables or configuration files:

Environment Variable:

# Select the primary scanning tool
export KONARR_AGENT_TOOL="syft"  # or "grype", "trivy"

Configuration File (konarr.yml):

agent:
  tool: "syft"  # Primary tool for scanning
  tool_auto_install: true
  tool_auto_update: false

Tool Installation

The agent can automatically install missing tools:

# Enable auto-install (default in container images)
export KONARR_AGENT_TOOL_AUTO_INSTALL=true

# Manual tool installation
konarr-cli tools install --tool syft
konarr-cli tools install --tool grype
konarr-cli tools install --tool trivy

Checking Installed Tools

List installed tools and their versions:

konarr-cli tools list

Output example:

Tool     Version    Status      Path
syft     v0.96.0    Installed   /usr/local/bin/syft
grype    v0.74.0    Installed   /usr/local/bin/grype
trivy    v0.48.0    Missing     -

Viewing Tool Usage

In the Web Interface

When viewing a snapshot in the Konarr web interface, you can see which tool was used to generate the SBOM and scan for vulnerabilities:

  1. Navigate to a project
  2. Click on a specific snapshot
  3. The snapshot details will show the tool used for scanning

Via API

Query the snapshot details through the API to see tool information:

curl -H "Authorization: Bearer $KONARR_AGENT_TOKEN" \
  http://your-server:9000/api/snapshots/{snapshot_id}

The response includes metadata about the scanning tool used.

In Agent Logs

The agent logs show which tool is being used for each scan:

# View agent logs in container mode
docker logs konarr-agent

# Look for lines indicating tool usage
# Example: "Using syft for SBOM generation"

Tool Configuration

Storage Locations

Tools are stored in the following locations:

EnvironmentPath
Container/usr/local/toolcache/
Host install~/.local/bin/ or /usr/local/bin/
CustomSet via KONARR_AGENT_TOOLCACHE_PATH

Advanced Configuration

Configure agent tool settings in konarr.yml:

agent:
  tool: "syft"
  tool_auto_install: true
  tool_auto_update: false

Tool Comparison

FeatureSyftGrypeTrivy
SBOM Generation✅ Primary
Vulnerability Scanning✅ Primary
Package ManagersNPM, Cargo, Deb, RPM, PyPI, Maven, GoAll Syft formatsMulti-format
Secret Detection
IaC Scanning
Auto-Install
SpeedFastFastModerate

Troubleshooting

Tool Installation Issues

If tools fail to install automatically:

# Check tool availability
konarr-cli tools list

# Manual tool install
konarr-cli tools install --tool syft

# Check tool cache
ls -la /usr/local/toolcache/

Tool Version Conflicts

Verify tool versions and compatibility:

konarr-cli tools version

Disabling Auto-Install

For secure environments, disable auto-install and pre-install approved versions:

agent:
  tool_auto_install: false  # Disable automatic installation
  toolcache_path: "/usr/local/toolcache"  # Pre-installed tool location

Additional Resources