Securing Kubernetes Supply Chain with JFrog Integration
- DevOps Tec
- 2025年12月4日
- 讀畢需時 3 分鐘
Background: Supply Chain Challenges in the Era of K8s × DevSecOps
As enterprises adopt Kubernetes as the core of their container orchestration, integrating CI/CD pipelines with image registries has become a standard procedure. However, as developers utilize a vast amount of Open Source packages, container base images, Helm Charts, and IaC templates, supply chain risks have multiplied accordingly.
According to a JFrog Security Research report, over 90% of container images contain known CVE vulnerabilities, with more than 45% being openly exploitable. Therefore, implementing a DevSecOps process that integrates the JFrog platform with Kubernetes has become a critical key to ensuring the security of the software lifecycle.
Architecture Design: Security Integration of Kubernetes and JFrog
Component | Function Description |
JFrog Artifactory | Private image registry for storing Base Images, Helm Charts, and Artifacts. |
JFrog Xray | Automated vulnerability and License scanning; SBOM generation. |
JFrog CLI / REST API | Invoked by the CI/CD Pipeline to perform scanning and policy verification. |
Kubernetes Cluster | The runtime environment for deployment, verifying images via the Admission Controller. |
OPA / Kyverno / Kubesec | Policy Enforcement layer to block the deployment of high-risk images. |
Implementation Steps: From Scanning to Deployment Protection
Step 1: Establishing Trust Between JFrog and K8s
1 | kubectl create secret docker-registry artifactory-cred \ --docker-server=artifactory.company.local \ --docker-username=devops_bot \ --docker-password=<API_TOKEN> \ --docker-email=devops@example.com |
ℹ️ TIP: It is recommended to use Kubernetes Secrets paired with a ServiceAccount to avoid exposing credentials directly in the Deployment YAML.
Step 2: Integrating Xray Scanning into CI/CD
1 | stage('Security Scan') { steps { script { def scanResult=sh(script: """ curl -u ${JFROG_USER}:${JFROG_TOKEN} -X POST \\ -H "Content-Type: application/json" \\ -d '{"repo_path":"docker-local/myapp:latest"}' \\ https://${JFROG_URL}/xray/api/v1/scanArtifact """, returnStdout: true) echo "Scan Result: ${scanResult}" } } } |
⚠️ The scan result returns a JSON object, including vulnerability levels (Critical/High/Medium/Low) and License Types.
Step 3: Logical Connection – From CI Scanning to K8s Deployment
In Step 2, the CI/CD Pipeline called the Xray API and retrieved the scan result in JSON format. The next critical step is passing this result to Kubernetes.
The CI/CD Pipeline is responsible for parsing this JSON return value and dynamically injecting the image's security status (e.g., whether a "Critical" vulnerability exists) into the Kubernetes Deployment or Pod YAML file as metadata.annotations.
For example, if Step 2 detects a "Critical" vulnerability, the CI should add the following to the YAML:
1 | YAML |
1 | metadata: |
2 | annotations: |
3 | jfrog.com/xray-score: "Critical" |
4 |
This way, when the CI/CD process executes kubectl apply to submit this YAML, the Admission Controller in Step 3 can successfully intercept the deployment request based on this annotation.
Step 4: Implementing Admission Controller to Block High-Risk Images
1 | curl -u ${JFROG_USER}:${JFROG_TOKEN} \ -X GET "https://${JFROG_URL}/xray/api/v1/sbom/artifact?path=docker-local/myapp:latest" |
🔴 When an image is annotated with a Critical level vulnerability, Kubernetes will reject the deployment.
Advanced Application: SBOM and Continuous Monitoring
Automated SBOM Generation
1 | curl -u ${JFROG_USER}:${JFROG_TOKEN} \ -X GET "https://${JFROG_URL}/xray/api/v1/sbom/artifact?path=docker-local/myapp:latest" |
Real-Time Risk Monitoring
JFrog Security monitors new CVE announcements and automatically updates the impact scope. When a vulnerability corresponds to an existing image or package, it automatically sends alerts to Slack or Jira.
Integration Benefits: From Passive Remediation to Active Prevention
Benefit | Description |
Visibility | SBOM provides a panoramic view of the supply chain composition. |
Compliance | Automated verification of License Policies. |
Real-Time Protection | Admission Controller blocks threats instantly. |
Risk Governance | Vulnerabilities are correlated with CVE databases and remediation suggestions. |
Automation | Security gates throughout the entire pipeline with no human intervention required. |
Future Outlook: AI-Driven DevSecOps Automated Remediation
With the emergence of JFrog Security AI and Atlassian Rovo Dev Agent, future DevSecOps will not only detect vulnerabilities but also automatically generate remediation suggestions and Pull Requests. Combined with the Kubernetes GitOps model and Policy-as-Code, enterprises will be able to achieve a Self-Healing security infrastructure.
Conclusion
Kubernetes brings immense scalability but also exposes the complexity and risks of the supply chain. By integrating JFrog Artifactory + Xray + K8s Security Policy, enterprises can not only strengthen image governance and vulnerability defense but also center their operations on DevSecOps to achieve Continuous Security from development to deployment.
Want to learn more about JFrog's information and features? The DevOps Tec professional consulting team welcomes you to contact us via email or phone!
![[JFrog] Simplifying DevSecOps for the Perfect Balance of Speed and Security](https://static.wixstatic.com/media/f087dc_b7166d0495c44d20b162a92c721322c7~mv2.png/v1/fill/w_980,h_514,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/f087dc_b7166d0495c44d20b162a92c721322c7~mv2.png)
留言