Integrate with vulnerability scanners

Configure connections with image scanners.

The StackRox Kubernetes Security Platform enriches deployments with image vulnerability information.

You can set up StackRox Kubernetes Security Platform to obtain image data from many open-source and commercial container image vulnerability scanners, including:

If you are using one of these products in your DevOps workflow, navigate to Platform Configuration > Integrations to configure a connection with the StackRox Kubernetes Security Platform.

StackRox Scanner

StackRox also provides an image vulnerability scanner, the StackRox Scanner. We recommend deploying Scanner so that all images, even those from public registries, can be scanned for vulnerabilities. Scanner is deployed in the same cluster where central services are deployed.

Scanner autoscaling

Beginning from the StackRox Kubernetes Security Platform version 3.0.39.0, StackRox Scanner uses the Horizontal Pod Autoscaler (HPA). The Scanner pods now automatically increase or decrease in response to the CPU utilization. The default setting for the HPA is a minimum of 1 replica and a maximum of 5 replicas, and the number of pods change over time. The autoscaling feature of Scanner is enabled by default when you upgrade to the StackRox Kubernetes Security Platform version 3.0.39.

If you want to opt-out of Scanner autoscaling, run the following commands:

Copy
kubectl -n stackrox delete hpa scanner
kubectl -n stackrox scale --replicas=1 deploy/scanner
Copy
oc -n stackrox delete hpa scanner
oc -n stackrox scale --replicas=1 deploy/scanner

Deploy StackRox Scanner

To deploy StackRox Scanner:

  1. Return to the terminal where you first deployed StackRox, and run the following command:

    Copy
    kubectl create -R -f stackrox/scanner

    This command creates the Scanner service.

    Copy
    ./central-bundle/scanner/scripts/setup.sh

    This command runs the setup script to configure image registry access.

    After the script finishes, run the following command to create the scanner service:

    Copy
    oc create -R -f central-bundle/scanner

StackRox Scanner automatically begins scanning images and updating the results in the Images view.

For StackRox Scanner to download be able to scan an image, an Image Registry integration must be configured for the image’s registry.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.