The StackRox Kubernetes Security Platform enriches deployments with image vulnerability information.
You can set up StackRox Kubernetes Security Platform to obtain image data from many open-source and commercial container image vulnerability scanners, including:
If you are using one of these products in your DevOps workflow, navigate to Platform Configuration > Integrations to configure a connection with the StackRox Kubernetes Security Platform.
StackRox also provides an image vulnerability scanner, the StackRox Scanner. We recommend deploying Scanner so that all images, even those from public registries, can be scanned for vulnerabilities. Scanner is deployed in the same cluster where central services are deployed.
Beginning from the StackRox Kubernetes Security Platform version 18.104.22.168, StackRox Scanner uses the Horizontal Pod Autoscaler (HPA). The Scanner pods now automatically increase or decrease in response to the CPU utilization. The default setting for the HPA is a minimum of 1 replica and a maximum of 5 replicas, and the number of pods change over time. The autoscaling feature of Scanner is enabled by default when you upgrade to the StackRox Kubernetes Security Platform version 3.0.39.
If you want to opt-out of Scanner autoscaling, run the following commands:
kubectl -n stackrox delete hpa scanner kubectl -n stackrox scale --replicas=1 deploy/scanner
oc -n stackrox delete hpa scanner oc -n stackrox scale --replicas=1 deploy/scanner
To deploy StackRox Scanner:
Return to the terminal where you first deployed StackRox, and run the following command:
kubectl create -R -f stackrox/scanner
This command creates the Scanner service.
This command runs the setup script to configure image registry access.
After the script finishes, run the following command to create the scanner service:
oc create -R -f central-bundle/scanner
StackRox Scanner automatically begins scanning images and updating the results in the Images view.
For StackRox Scanner to download be able to scan an image, an Image Registry integration must be configured for the image’s registry.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.