Sailing Securely Across the SDLC: Introducing Wiz's Image Trust and Kubernetes Audit Log Collector

Secure your applications across the SDLC by deploying only trusted images and monitoring your Kubernetes control plane in near-real time to detect potential threats.

4 minutes read

Containerized applications are the new norm for organizations of all sizes, driving innovation, agility, and scalability. Developer speed has accelerated dramatically, especially with the introduction of continuous integration and continuous deployment (CI/CD) pipelines and platforms like Kubernetes for managing applications at scale.   

However, there's a flip side to the coin. These applications are often highly ephemeral and rely on different technology stacks that can make them complex to understand and monitor. Securing these applications becomes a challenge, as it involves securing the entire software development lifecycle, from its code to its containerized image and execution. As stated in Wiz 2023 Kubernetes Security report, researchers showed that out of total exposed pods analyzed, 52% contain container images with known vulnerabilities. There's a gap between the security tools developers use and the security teams' overall visibility of environments. As a result, applications with vulnerabilities may reach the production environment, causing potential risks.  

That's why a legacy approach to security, with tools operating in silos, cannot address these issues. For example, monitoring only Kubernetes clusters doesn’t provide enough context on the cloud environment where the clusters operate. The same is true if we only look at what's happening in the pipeline without having information about the execution environment. Organizations need complete visibility and context to secure Kubernetes environments and reduce the risk of breaches.  

There is a growing need for innovative solutions that streamline security operations, improve visibility, and strengthen the security posture of containerized applications and Kubernetes deployments. Wiz already protects Kubernetes environments by combining our agentless first approach to detect multiple types of risks, combined with the runtime sensor to provide a defense-in-depth strategy in real time. And today, Wiz is proud to announce the extension of its coverage to protect containerized applications across their lifecycles. Customers can ensure that only trusted images are deployed in production and have near real-time visibility of events happening in the Kubernetes control plane to detect potential threats quickly. This makes securing end-to-end Kubernetes environments more straightforward, with a built-in defense so that developers can move forward more rapidly.  

From the left: Deploy only trusted images.

The best defense is prevention by only allowing trusted golden images that meet organizational security baselines to be deployed. Ensuring the trustworthiness of container images is essential for mitigating security risks. However, validating images from trusted sources and managing vulnerabilities can be complex and time-consuming. Our previous blog paved the way for a more secure supply chain by adding image integrity validation through our admission controller. However, this requires the maintenance of an existing Cosign or Notary infrastructure and their keys. 

This feature combines Wiz CLI and Wiz Admission Controller to enhance security across the SDLC: Wiz CLI scans images for vulnerabilities, sensitive data, and secrets, adhering to organizational policies, and the Wiz Admission Controller allows only those images validated in authorized CI/CD pipelines. This ensures the deployment of trusted, policy-compliant images with Wiz's native tooling without the need for third-party tools. It is reducing risks associated with deployments on Kubernetes clusters. 


In short, this enables customers to: 

  • Validated images come from authorized CI/CD pipelines without the need for additional third-party signing infrastructure. 

  • Ensure only images compliant with organizational policies are deployed in production clusters to prevent vulnerabilities, sensitive data, and secrets from being deployed to production. 

By automatically validating images and enforcing security policies, organizations can minimize the risk of deploying untrusted/malicious containers, thus enhancing the overall security posture of their Kubernetes environments and minimizing the friction of adding security to the software development pipeline. 

Up to the right: Detect threats in real-time.

Maintaining near real-time visibility of Kubernetes cluster activity is crucial to effectively detecting and mitigating security threats. However, operationalizing audit log collection across different cloud providers can prove challenging. Indeed, all CSPs provide different log formats, default configurations, streaming methodologies and have associated costs. It quickly becomes a headache. That's where the Kubernetes audit log collector comes in. Combined with Wiz CNAPP CDR's existing capabilities, It enables you to easily collect K8s control plane audit logs from any Kubernetes cluster, including EKS, AKS, GKE, or self-managed, and ingest them into Wiz CDR. This capability enables near-real-time visibility into your cluster control plane activity. It detects suspicious and malicious behavior by correlating audit logs with container and host-level activities through the Wiz Sensor and cloud control plane activities via cloud log collection. For example, Wiz will detect and alert you about anonymous access to your Kubernetes cluster followed by admin role creation and cryptomining-related activity.  

Of course, this is potentially malicious activity, and being able to detect it and provide complete information means you can act quickly and effectively to stop it. 

In short, this enables customers to: 

  • Have near real-time visibility of cluster control plane activity. 

  • Simplify operationalization with an agnostic approach. 

  • Detect K8s clusters threats in near real-time by correlating workload and cloud activity with the newly added K8s control plane monitoring. 

By providing comprehensive insights and context into cluster activities, the Kubernetes Audit Log Collector, coupled with Wiz CDR empowers organizations to monitor and secure their Kubernetes environments proactively. Swift detection and real-time response to security threats are imperative for mitigating potential business disruptions.  

Wiz is committed to helping customers secure their Kubernetes environments and containerized applications throughout the software development lifecycle. And these two new features only reinforce this approach. Want to get started with CI/CD scan validator and/or Kubernetes log collector? You'll find it in the Wiz documentation here and here. New to container security? Take a look at wiz for container security in the documentation and our Kubernetes Security for Dummies guide. Any questions or feedback? Your voice is important to us. Reach out, and our teams will be happy to assist you. 


Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management