Vulnerabilities Relevancy
The relevancy functionality will enable ARMO Platform users to understand which of the vulnerabilities are actually relevant for their workload in runtime
Overview
ARMO Platform's relevancy feature is based on Kubescape's capability (aka Taster), which, in turn, is based on eBPF. It scans the running environment and maps out artifacts and libraries that are loaded into memory and therefore are in use in the environment.
The Taster is part of Kubescape's in-cluster components. It uses eBPF probes to look at the file activity of a running container. When a pod starts on a node, the Taster will watch its containers for a configurable learning period and store an activity log.
During the process of scanning a container, an SBOM is generated. This contains the vulnerability scannerโs understanding of which components are installed in the container. When vulnerabilities are checked the engine is provided with a filtered SBOM, including the packages that relate to files that were accessed during the learning period.
Enabling the Relevancy feature
In order to enable the relevancy functionality follow the instructions below:
- In order to configure the configurable learning periods of the feature use the flags deatiled in the table below.
Flag | Default | Description | Configurable |
---|---|---|---|
learningPeriod | 2 minutes | The learning period is the amount of time the Taster will observe a running container to determine the relevancy of files. The value represents minutes | --set nodeAgent.config.learningPeriod=15 |
maxLearningPeriod | 180 minutes | The max learning period is the amount of time the Taster will observe a running container. The value represents minutes | --set nodeAgent.config.maxLearningPeriod=200 |
Using the Relevancy feature
After installation, the Taster will start listening for every new / restarted container for the time configured in the learning period. Once the learning period is concluded the relevant information will be available in the cluster storage and in ARMO Platform. Taster will keep listening for the container until the maxLearningPeriod is reached.
View Relevancy information in the ARMO Platform UI
Prerequisites
- pods were restarted to initiate the learningPeriod
- The learning period has concluded
Vulnerabilities main view
Navigate to the Vulnerabilities section
The top tiles provide information regarding the relevant vulnerabilities found in the scanned containers. The information is broken down using prioritization indicators (Fixable, RCE and Relevant).

Severity tiles
The table detailing the vulnerabilities (see snippet below) provides a list of workloads scanned for vulnerabilities. The table contains a "Relevant" column stating the number of vulnerabilities found relevant for the workload in question.

Workloads view
_Possible values that will populate the _Relevant _column are:
- Number - The number represents the number of relevant vulnerabilities found for the given workload.
- N/A may be a result of one of several factors:
Learning period | Relevancy status | Description | Resolution |
---|---|---|---|
Incomplete | Installed | Relevancy is installed on the cluster and learning is still in progress | Wait for the conclusion of the learning period |
Done | Installed | Relevancy is installed on the cluster but the container under the workload was not restarted since the Relevancy feature was enabled | Restart the container under the given workload |
- | Not installed | The Relevancy feature is not enabled on the cluster the workload is deployed in | Enable Relevancy on the cluster and restart it |
Workload vulnerabilities view
Upon drill down into a workload with relevant data, the vulnerabilities table contains a column named "Relevant" stating the relevancy of the vulnerability in question.
Possible values here are:
- Yes - The given vulnerability was loaded to memory during the learning period. Hence, it is relevant.
- No - The given vulnerability was NOT loaded to memory during the learning period. Hence, is NOT relevant.
- N/A - No data is available for the given vulnerability. View the resolution table in the previous section.

Vulnerabilities view
View relevant information from the cluster storage
View SBOM information
kubectl get -n kubescape --show-labels SBOMSPDXv2p3
NAME CREATED AT LABELS
docker.io-grafana-grafana-9.5.3-b8d861 2023-06-15T15:45:33Z kubescape.io/image-id=docker-io-grafana-grafana-sha256-35e8e1b76912e4c3bbaa8de01e730a,kubescape.io/image-name=docker-io-grafana-grafana
gcr.io-vmwarecloudadvocacy-acmeshop-catalog-latest-3fc804 2023-06-15T15:45:54Z kubescape.io/image-id=gcr-io-vmwarecloudadvocacy-acmeshop-catalog-sha256-8fd8df19f379,kubescape.io/image-name=gcr-io-vmwarecloudadvocacy-acmeshop-catalog
mongo-4-f244e3 2023-06-15T15:44:55Z kubescape.io/image-id=docker-io-library-mongo-sha256-967fecde146a0d1ac5ec5805a2c75906,kubescape.io/image-name=docker-io-library-mongo
otel-opentelemetry-collector-0.70.0-55f80d 2023-06-15T15:45:08Z kubescape.io/image-id=docker-io-otel-opentelemetry-collector-sha256-54f9e300089317cd4,kubescape.io/image-name=docker-io-otel-opentelemetry-collector
quay.io-kiwigrid-k8s-sidecar-1.24.3-be1fe8 2023-06-15T15:45:17Z kubescape.io/image-id=quay-io-kiwigrid-k8s-sidecar-sha256-5af76eebbba79edf4f7471bf1c3,kubescape.io/image-name=quay-io-kiwigrid-k8s-sidecar
View filtered SBOM information
kubectl get -n kubescape --show-labels SBOMSPDXv2p3Filtered
NAME CREATED AT LABELS
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-424f-cdc1 2023-06-15T15:47:20Z kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana-sc-dashboard,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-6929-6389 2023-06-15T15:49:20Z kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-d1f2-ec75 2023-06-15T15:47:21Z kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana-sc-datasources,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus
Get CVE list & relevant CVE list
kubectl get -n kubescape --show-labels VulnerabilityManifests
NAME CREATED AT LABELS
docker.io-grafana-grafana-9.5.3-b8d861 2023-06-15T15:45:36Z kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-grafana-grafana-sha256-35e8e1b76912e4c3bbaa8de01e730a,kubescape.io/image-name=docker-io-grafana-grafana
gcr.io-vmwarecloudadvocacy-acmeshop-catalog-latest-3fc804 2023-06-15T15:45:59Z kubescape.io/context=non-filtered,kubescape.io/image-id=gcr-io-vmwarecloudadvocacy-acmeshop-catalog-sha256-8fd8df19f379,kubescape.io/image-name=gcr-io-vmwarecloudadvocacy-acmeshop-catalog
gke.gcr.io-cluster-proportional-autoscaler-1.8.4-gke.1-a146bc 2023-06-15T15:46:48Z kubescape.io/context=non-filtered,kubescape.io/image-id=gke-gcr-io-cluster-proportional-autoscaler-sha256-0f232ba18b633,kubescape.io/image-name=gke-gcr-io-cluster-proportional-autoscaler
mongo-4-f244e3 2023-06-15T15:45:01Z kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-library-mongo-sha256-967fecde146a0d1ac5ec5805a2c75906,kubescape.io/image-name=docker-io-library-mongo
nginx-1.14.2-306b8d 2023-06-15T15:46:45Z kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-library-nginx-sha256-f7988fb6c02e0ce69257d9bd9cf37ae2,kubescape.io/image-name=docker-io-library-nginx
otel-opentelemetry-collector-0.70.0-55f80d 2023-06-15T15:45:09Z kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-otel-opentelemetry-collector-sha256-54f9e300089317cd4,kubescape.io/image-name=docker-io-otel-opentelemetry-collector
quay.io-argoproj-argocd-v2.6.7-a2bd09 2023-06-15T15:46:32Z kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-argoproj-argocd-sha256-a9a0c6b9360587d9786c0d84b0bf948d,kubescape.io/image-name=quay-io-argoproj-argocd
quay.io-kiwigrid-k8s-sidecar-1.24.3-be1fe8 2023-06-15T15:45:20Z kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-kiwigrid-k8s-sidecar-sha256-5af76eebbba79edf4f7471bf1c3,kubescape.io/image-name=quay-io-kiwigrid-k8s-sidecar
quay.io-kubescape-kollector-v0.1.21-bc8e8d 2023-06-15T15:46:51Z kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-kubescape-kollector-sha256-cef4b4ef628470df7a9cf1bcd2a9,kubescape.io/image-name=quay-io-kubescape-kollector
Limitations
Linux kernel
The relevancy functionality is based on eBPF technology which is implemented only on Linux kernels. Therefore the feature will work only on Linux distributions. The Linux kernel version in the node must be >= 4.14.
Relevancy engine
The relevancy functionality is based on the Falco library. Falco downloads the kernel object per the kernel version in the node. Not all kernel versions exist in the kernel.
Symlinks
The Falco library does not report on the actual file when Symlink is opened, meaning relevant files opened by symlink may cause CVEs to appear as not relevant and result in a false positive.
Disabling the Relevancy feature
In order to disable the relevancy functionality follow the instructions below:
- Installation of Kubescape in cluster
- In step 3 in the instructions that appear in the link above, replace the command there with the following command
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-relevancy -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.relevancy=disable --set account=<ACCOUNT_ID>
- Continue the installation instructions to completion
Removing in-cluster storage
In order to remove the in cluster storage for the relevancy follow the instructions below:
- Installation of Kubescape in cluster
- In step 3 in the instructions that appear in the link above, replace the command there with the following command
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-relevancy -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.relevancy=disable --set storage.enabled=false --set account=<ACCOUNT_ID>
- Continue the installation instructions to completion
Updated about 1 month ago