radix-vulnerability-scanner scans Docker images defined in RadixDeployment CRDs for vulnerabilities, and stores the results in a database. Scanning is triggered whenever new RadixDeployment resources are created or updated, and on a schedule defined by a cron spec. Only images in active RadixDeployments are scanned. Once an image is scanned, it will not be rescanned before the age of the last scan exceeds a certain threshold (defaults to 24 hours).
radix-vulnerability-scanner installation is handled by Flux using Radix Flux. Flux prerequisites is bootstrapped with Terraforms Vulnerability Scanner module (in each environment)
radix-vulnerability-scanner stores scan results in a SQL Server database. The database and schema is deployed using Github actions.
The user configured for connecting to the SQL Server must be member of the radixwriter database role and authenticates with managed identity using Azure ActiveDirectoryDefault profile.
- Run the Vulnerability Scanner Terraform module in each environment to set up Managed Identities.
- Take a note of any changed CLIENT-IDs:
radix-id-vulnerability-scan-admin-<ENV>must be added in./.github/workflows/build-push.ymlin this projectradix-id-vulnerability-scan-github-<ENV>must be added in./.github/workflows/deploy-database.ymlin this projectradix-id-vulnerability-scan-reader-<ENV>must be added in Radixconfig.yaml file for each environment in https://github.com/equinor/radix-vulnerability-scanner-apiradix-id-vulnerability-scan-writer-<ENV>must be added inVULNERABILITY_SCANNER_SQL_CLIENT_IDinhttps://github.com/equinor/radix-flux/blob/master/clusters/development/postBuild.yaml- Check #54 for special considerations to deploy roles and external users.
Environment variables
| Name | Type | Required | Description |
|---|---|---|---|
| SNYK_TOKEN | string | Yes | A SNYK service account access token used to access the SNYK API when scanning images for vulnerabilities |
Command line arguments
| Name | Type | Required | Description | Default |
|---|---|---|---|---|
| full-sync-cron-spec | string | No | Cron spec defining how often all images should be scheduled for scan | "0 0 * * *" |
| app-name-exclude-list | string | list | No | Comma separated list of Radix application names to exclude from scanning | "" |
| workers | number | No | Number of concurrent workers to scan images | 1 |
| db-server | string | Yes | Name/URL of the SQL Server where scan results are stored | "" |
| db-database | string | Yes | Name of the SQL Server database where scan results are stored | "" |
| vulnerability-scan-timeout | string | No | Context timeout for each image scan | "5m" |
| vulnerability-rescan-age | string | No | Defines the minimum age of an image scan before a new scan is performed. An image is not scanned if the age of the last scan is less than this value | "24h" |
| docker-config-file | string | No | Path to docker file with auths for accessing private image repositories | "" |
| kube-config-file | string | No | Path to Kubernetes config file used for accessing K8s API server. InClusterConfig is used if this file is omitted | "" |
Every command line argument can be specified as an environment variable by prefixing it with RVS_, capitalizing it, and replicaing hyphens (-) with underscores (_), e.g. full-sync-cron-spec becomes RVS_FULL_SYNC_CRON_SPEC.
You need Go (>=1.22) installed. Make sure GOPATH and GOROOT are properly set up. Clone the repo into your GOPATH and run go mod download
Want to contribute? Read our contributing guidelines
We use gomock to generate mocks used in unit test. You need to regenerate mocks if you make changes to any of the interface types used by the application.
make mocks
Create a copy of .env.template and name it .env. Set variables to allow local debugging. This file is ignored by git.
This is how we handle security issues