Available in: EE
Experimental version. The functionality may undergo significant changes. Compatibility with future versions is not guaranteed.
The module allows you to run a regular vulnerability scans of user images in runtime on known CVEs. The module uses the Trivy project. Public databases are used for scanning vulnerabilities.
Scanning is performed every 24 hours in namespaces that contain the label security-scanning.deckhouse.io/enabled=""
.
If there are no namespaces with this label in the cluster, the default
namespace is scanned.
Once a namespace with the label security-scanning.deckhouse.io/enabled=""
is detected in the cluster, scanning of the default
namespace stops.
To re-enable scanning for the default
namespace, use the following command to set the label to the namespace:
kubectl label namespace default security-scanning.deckhouse.io/enabled=""