Kritis should do more things than just scanning for known vulnerabilities. What I'd like to see is checking for signatures, verifying that tests have been run and test coverage is above certain threshold, open source license compliance, etc.
I think it should provide some generic interface to verify an image agains arbitrary metadata from Grafeas, which leads us to the idea of integrating Kritis with Gatekeeper.
It could look like this: Kritis provides Grafeas data including attestation information to Gatekeeper so that Gatekeeper can make admission decisions.
See also Gatekeeper issue 1293.
Kritis should do more things than just scanning for known vulnerabilities. What I'd like to see is checking for signatures, verifying that tests have been run and test coverage is above certain threshold, open source license compliance, etc.
I think it should provide some generic interface to verify an image agains arbitrary metadata from Grafeas, which leads us to the idea of integrating Kritis with Gatekeeper.
It could look like this: Kritis provides Grafeas data including attestation information to Gatekeeper so that Gatekeeper can make admission decisions.
See also Gatekeeper issue 1293.