OSS Health Assessment

Learn how secure your open source software supply chain is

Our Open Source Software Health Assessment Report helps you understand the health of your open source software dependencies. The generated report will show:

Whether there are any misconfigurations in the open source software you use, which could lead to a security compromise
Whether you have critical security vulnerabilities stemming from open source software
Your compliance score according to major security frameworks such as MITRE, CIS, SOC2, NSA
To what extent the open source software you use can be replaced with Bitnami packages from VMware Tanzu Application Catalog
Recommendations to improve your open source software supply chain security posture and mitigate risks posed by misconfigurations and upstream vulnerabilities

Try the free Open Source Software Health Assessment Report today, and engage with our sales team to learn how the Bitnami and Tanzu Application Catalog team can help.

Get started

Starting from your Kubernetes resources, YAML files or public or private repositories, export your results to a .json file

Repo
Repo
Kubernetes
Kubernetes

docker run --rm -it -v /tmp:/output bitnami/kubescape:3.0.3 oss-assessment GIT_REPOSITORY -o /output/report.json

docker run --rm -it -v %USERPROFILE%:/output bitnami/kubescape:3.0.3 oss-assessment GIT_REPOSITORY -o /output/report.json

docker run --rm -it -v /tmp:/output -v $HOME/.kube:/.kube bitnami/kubescape:3.0.3 oss-assessment --kubeconfig /.kube/config --kube-context $(kubectl config current-context) -o /output/report.json

docker run --rm -it -v %USERPROFILE%:/output -v %USERPROFILE%/.kube:/.kube bitnami/kubescape:3.0.3 oss-assessment --kubeconfig /.kube/config --kube-context $(kubectl config current-context) -o /output/report.json

Refer to FAQ below for specific Kubernetes distributions or private repositories

Upload file and view report

Business Email

First Name

Last Name

Company

Business Phone

Title

By submitting this form I agree to receiving commercial messages about Broadcom products and services; and acknowledge that my use of Broadcom's website is subject to Broadcom's Terms of Use and that my personal data is processed according to Broadcom's Privacy Policy.

Any use of VMware Offerings is subject to the VMware General Terms.

Frequently Asked Questions

What information is captured?

We capture only your contact information and the Kubernetes resources, YAML files or container images you select to analyze. We adhere to a strict privacy policy and do not sell or share your personal information, as defined by the California Privacy Rights Act. You can read the details in the VMware Global Privacy Policy. Any use of VMware Offerings is subject to the VMware General Terms.

Which resources are analyzed?

Assessments can be performed from Kubernetes clusters, YAML repositories or Helm charts. If the assessment is done from Kubernetes clusters, a certain level of access to the cluster will be necessary. Users can restrict the scan to specific namespaces or resources if needed. Container image scans can be executed on public images stored in open repositories such as DockerHub or locally in private repositories.

What is the turnaround time to receive the assessment?

The report is generated real-time as soon as the completed form is submitted. This service is currently in BETA with continuous updates. If the report takes more than 15 minutes to appear, please notify us by sending an email to tac-info.pdl@broadcom.com.

What should I do if the generated report is empty?

An empty report may indicate a command failure. Please check the following:

Ensure you have Docker Desktop installed and it is up and running.
Confirm that your `json` file is not empty. If it is, consider checking for potential issues with the file or its contents.

Will security vulnerabilities for all the images present in my cluster or repository be detected?

No, only Tanzu Application Catalog-supported images will be scanned for vulnerabilities. If there are vulnerabilities in non-matching images, they won't be included in the report.

My Kubernetes cluster uses a specific distribution such as EKS, GKE, TKG. Can I still generate an assessment?

For this assessment to work, you’ll need a Kubeconfig configuration with no external dependencies. Some hyperscalers create default Kubeconfig files that depend on their specific CLIs binaries to work. To generate an agnostic Kubeconfig file, you’ll need to follow these steps:

Create a ServiceAccount (reference)
Create a Secret associated to the ServiceAccount (reference)
Create a ClusterRoleBinding associated to the ServiceAccount (reference)

With the previous steps completed, use the ca.crt and the token generated in the ServiceAccount to build your own kubeconfig file (example).

How do I scan images from private container repositories?

You'll need to mount the Docker config.json credentials file. For Linux,

docker run --rm -it -v /tmp:/output -v $HOME/.docker/config.json:/opt/bitnami/kubescape/.docker/config.json bitnami/kubescape:3.0.3 oss-assessment GIT_REPOSITORY -o /output/report.json

For Docker Desktop users on OS X, the config.json file can be generated:

echo "{\"auths\": {\"\": {}}}" > /tmp/config.json

docker login --config /tmp YOUR_REPOSITORY

docker run --rm -it -v /tmp:/output -v /tmp/config.json:/opt/bitnami/kubescape/.docker/config.json bitnami/kubescape:3.0.3 oss-assessment GIT_REPOSITORY -o /output/report.json