The module lifecycle stageGeneral Availability

Available in:  EE

The module allows you to run regular vulnerability scans of user images in runtime on known CVEs, including vulnerabilities from Astra Linux, RedOS, and ALT Linux databases. It is based on the Trivy project, using public vulnerability databases enriched with Astra Linux, ALT Linux, and РЕД ОС data.

The module also performs cluster compliance analysis against the CIS Kubernetes Benchmark.

Main Features

  • Automatic CVE scanning of container images running in labeled namespaces every 24 hours.
  • CIS Kubernetes Benchmark compliance analysis stored in ClusterComplianceReport.
  • SBOM generation for all scanned container images (SbomReport).
  • Node host filesystem scanning for OS-level vulnerabilities (NodeVulnerabilityReport).
  • Exposed secrets detection in container images (ExposedSecretReport).
  • Metrics and Grafana dashboards for vulnerability and compliance results.

Scanning is performed in namespaces that contain the label security-scanning.deckhouse.io/enabled="". If there are no namespaces with this label in the cluster, the default namespace is scanned.

Once a namespace with the label security-scanning.deckhouse.io/enabled="" is detected in the cluster, scanning of the default namespace stops. To re-enable scanning for the default namespace, use the following command to set the label to the namespace:

d8 k label namespace default security-scanning.deckhouse.io/enabled=""

Conditions for starting scanning

Scanning starts:

  • automatically every 24 hours,
  • when components using new images are deployed in the namespaces for which scanning is enabled.

Where to view scan results

In Grafana:

  • Security/Trivy Image Vulnerability Overview — a summary of vulnerabilities found in container images and cluster resources.
  • Security/CIS Kubernetes Benchmark — results of cluster compliance with the CIS Kubernetes Benchmark.

In cluster resources: