Search

Learn how to find information you need across your environment.

The ability to instantly find resources is important to safeguard your cluster. Use the StackRox Kubernetes Security Platform search feature to find relevant and valuable resources faster. For example, you can use it to find deployments that are exposed to a newly published CVE or find all deployments that have external network exposure.

See the common search queries section to find some helpful search queries you can run on the StackRox Kubernetes Security Platform.

Search syntax

A search query is made up of two parts:

  • an attribute that identifies the resource type you are after, and
  • a search term that finds the matching resource.

For example, to find all violations in the visa-processor deployment, the search query is, Deployment:visa-processor. In this search query, Deployment is the attribute and visa-processor is the search term.

You must select an attribute before you can use search terms. However, in some views, such as the Risk view and the Violations view, the StackRox Kubernetes Security Platform automatically applies the relevant attribute based on the search term you enter.

  • You can use multiple attributes in your query. When you use more than one attribute, the results only include the items that match all attributes.

    Example
    When you search for Namespace:frontend CVE:CVE-2018-11776, it returns only those resources which violate CVE-2018-11776 in the frontend namespace.
  • You can use more than one search term with each attribute. When you use more than one search term, the results include all items that match any of the search terms.

    Example
    If you use the search query Namespace: frontend backend, it returns matching results from the namespace frontend or backend.
  • You can combine multiple attribute and search term pairs.

    Example
    The search query Cluster:production Namespace:frontend CVE:CVE-2018-11776 returns all resources which violate CVE-2018-11776 in the frontend namespace in the production cluster.
  • Search terms can be part of a word, in which case the StackRox Kubernetes Security Platform returns all matching results.

    Example
    If you search for Deployment:def, the results include all deployments starting with def.
  • To explicitly search for a specific term, use the search terms inside quotes.

    Example
    When you search for Deployment:"def", the results only include the deployment def.
  • You can also use regular expressions by using r/ before your search term.

    Example
    When you search for Namespace:r/st.*x, the results include matches from namespace stackrox and stix.
  • Use ! to indicate the search terms that you don’t want in results.

    Example
    If you search for Namespace:!stackrox, the results include matches from all namespaces except the stackrox namespace.
  • Use the comparison operators >, <, =, >=, or <- to match a specific value or range of values.

    Example
    If you search for CVSS:>=6, the results include all vulnerabilities with Common Vulnerability Scoring System (CVSS) score 6 or higher.

Autocomplete

As you enter your query, the StackRox Kubernetes Security Platform automatically displays relevant suggestions for the attributes and the search terms.

Autocomplete
Autocomplete

There are multiple ways to search and refine the search throughout the StackRox Kubernetes Security Platform.

By using global search you can search across all resources in your environment. Based on the resource type you use in your search query, the results are grouped in the following categories:

  • All (Lists matching results across all categories.)
  • Violations
  • Policies
  • Deployments
  • Images
  • Secrets

These categories are listed as a table on the StackRox portal global search page and you can click on the category name to identify results belonging to the selected category.

Search button
Search button
From any page on the StackRox portal, select Search on the top right side to do a global search.

Use local page filtering

You can use local page filtering from within all views in the StackRox portal. Local page filtering works similar to the global search, but only relevant attributes are available. You can select the search bar to show all available attributes for a specific view.

Local page filtering
Local page filtering

Common search queries

Here are some common search queries you can run with the StackRox Kubernetes Security Platform.

Find deployments that are affected by a specific CVE

QueryExample
CVE:<CVE-number>CVE:CVE-2018-11776

Find privileged running deployments

QueryExample
Privileged:<true-or-false>Privileged:true

Find deployments that have external network exposure

QueryExample
Exposure Level:<level>Exposure Level:External

Find deployments that are running specific processes

QueryExample
Process Name:<process-name>Process Name:bash

Find deployments that have serious but fixable vulnerabilities

QueryExample
CVSS:CVSS:>=6 Fixable:.*

Find deployments that are using passwords exposed through environment variables

QueryExample
Environment Key:<query>Environment Key:r/.*pass.*

Find running deployments that have particular software components in them

QueryExample
Component:<component-name>Component:libgpg-error or Component:sudo

Find users or groups

Use Kubernetes Labels and Selectors, and Annotations to attach metadata to your deployments. You can then query based on the applied annotations and labels to identify individuals or groups.

Find who owns a particular deployment
QueryExample
Deployment:<deployment-name> Label:<key-value> or Deployment:<deployment-name> Annotation:<key-value>Deployment:app-server Label:team=backend
Find who is deploying images from public registries
QueryExample
Image Registry:<registry-name> Label:<key-value> or Image Registry:<registry-name> Annotation:<key-value>Image Registry:docker.io Label:team=backend
Find who is deploying into the default namespace
QueryExample
Namespace:default Label:<key-value> or Namespace:default Annotation:<key-value>Namespace:default Label:team=backend

Search attributes

AttributeDescription
Add CapabilitiesProvides the container with additional Linux capabilities, for instance the ability to modify files or perform network operations.
AnnotationArbitrary non-identifying metadata attached to an orchestrator object.
CPU Cores LimitMaximum number of cores that a resource is allowed to use.
CPU Cores RequestMinimum number of cores to be reserved for a given resource.
CVECommon Vulnerabilities and Exposures, use it with specific CVE numbers.
CVSSCommon Vulnerability Scoring System, use it with the CVSS score and greater than ( > ), less than ( < ), or equal to ( = ) symbols.
CategoryPolicy categories include DevOps Best Practices, Security Best Practices, Privileges, Vulnerability Management, Multiple, and any custom policy categories that you create.
Cert ExpirationCertificate expiration date.
ClusterName of a Kubernetes or OpenShift cluster.
Cluster IDUnique ID for a Kubernetes or OpenShift cluster.
Cluster RoleUse true to search for cluster-wide roles and false for namespace-scoped roles.
ComponentSoftware (daemond, docker), objects (images, containers, services), registries (repository for Docker images).
Component CountNumber of components in the image.
Component versionVersion number of software, objects, or registries.
Created TimeTime and date when the secret object was created.
DeploymentName of the deployment.
Deployment TypeThe type of Kubernetes controller on which the deployment is based.
DescriptionDescription of the deployment.
Dockerfile Instruction KeywordKeyword in the Dockerfile instructions in an image.
Dockerfile Instruction ValueValue in the Dockerfile instructions in an image.
Drop CapabilitiesLinux capabilities that have been dropped from the container. For example CAP_SETUID or CAP_NET_RAW.
EnforcementType of enforcement assigned to the deployment. For example, None, Scale to Zero Replicas, or Add an Unsatisfiable Node Constraint.
Environment KeyKey portion of a label key-value string that’s metadata for further identifying and organizing the environment of a container.
Environment ValueValue portion of a label key-value string that’s metadata for further identifying and organizing the environment of a container.
Exposed Node PortPort number of the exposed node port.
Exposing ServiceName of the exposed service.
Exposing Service PortPort number of the exposed service.
Exposure LevelThe type of exposure for a deployment port, for example external or node.
External HostnameThe hostname for an external port exposure for a deployment.
External IPThe IP address for an external port exposure for a deployment.
Fixable CVE CountNumber of fixable CVEs on an image.
Fixed ByThe version string of a package that fixes a flagged vulnerability in an image.
ImageThe name of the image.
Image CommandThe command specified in the image.
Image Created TimeThe time and date when the image was created.
Image EntrypointThe entrypoint command specified in the image.
Image Pull SecretThe name of the secret to use when pulling the image, as specified in the deployment.
Image Pull Secret RegistryThe name of the registry for an image pull secret.
Image RegistryThe name of the image registry.
Image RemoteIndication of an image that’s remotely accessible.
Image Scan TimeThe time and date when the image was last scanned.
Image TagIdentifier for an image.
Image UsersName of the user or group that a container image is configured to use when it runs.
Image VolumesNames of the configured volumes in the container image.
Inactive DeploymentUse true to search for inactive deployments and false for active deployments.
LabelThe key portion of a label key-value string that’s metadata for further identifying and organizing images, containers, daemons, volumes, networks, and other resources.
Lifecycle StageThe type of lifecycle stage where this policy is configured or alert was triggered.
Max Exposure LevelFor a deployment, the maximum level of network exposure for all given ports/services.
Memory Limit (MB)Maximum amount of memory that a resource is allowed to use.
Memory Request (MB)Minimum amount of memory to be reserved for a given resource.
NamespaceThe name of the namespace.
Namespace IDUnique ID for the containing namespace object on a deployment.
NodeName of a node.
Node IDUnique ID for a node.
Pod LabelSingle piece of identifying metadata attached to an individual pod.
PolicyThe name of the security policy.
PortPort numbers exposed by a deployment.
Port ProtocolIP protocol such as TCP or UDP used by exposed port.
PriorityRisk priority for a deployment. (Only available in Risks view.)
PrivilegedUse true to search for privileged running deployments, or false otherwise.
Process AncestorName of any parent process for a process indicator in a deployment.
Process ArgumentsCommand arguments for a process indicator in a deployment.
Process NameName of the process for a process indicator in a deployment.
Process PathPath to the binary in the container for a process indicator in a deployment.
Process UIDUnix user ID for the process indicator in a deployment.
Read Only Root FilesystemUse true to search for containers running with the root filesystem configured as read only.
RoleName of a Kubernetes RBAC role.
Role BindingName of a Kubernetes RBAC role binding.
Role IDRole ID to which a Kubernetes RBAC role binding is bound.
SecretName of the secret object that holds the sensitive information.
Secret PathPath to the secret object in the file system.
Secret TypeType of the secret, for example, certificate or RSA public key).
Service AccountService account name for a service account or deployment.
SeverityIndication of level of importance of a violation: Critical, High, Medium, Low.
SubjectName for a subject in Kubernetes RBAC.
Subject KindType of subject in Kubernetes RBAC, such as SERVICE_ACCOUNT, USER or GROUP.
Taint EffectType of taint currently applied to a node.
Taint KeyKey for a taint currently applied to a node.
Taint ValueAllowed value for a taint currently applied to a node.
Toleration KeyKey for a toleration applied to a deployment.
Toleration ValueValue for a toleration applied to a deployment.
ViolationA notification displayed in the Violations page when the conditions specified by a policy haven’t been met.
Violation StateUse it to search for “resolved” violations.
Violation TimeTime and date that a violation first occurred.
Volume DestinationMount path of the data volume.
Volume NameName of the storage.
Volume ReadOnlyUse true to search for volumes that are mounted as read only.
Volume SourceIndicates the form in which the volume is provisioned (for example, persistentVolumeClaim or hostPath).
Volume TypeThe type of volume.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.