|
This is unreleased documentation for SBOM Scanner 0.12.0-dev. |
API Reference
sbomscanner.kubewarden.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the SBOMscanner v1alpha1 API group.
MatchCondition
MatchCondition defines a CEL expression to filter image tags.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions, |
||
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. |
||
|
Labels are key-value pairs that can be used to organize and categorize match conditions. |
MatchOperator
Underlying type: string
MatchOperator defines how multiple match conditions are combined.
-
Enum: [And Or]
NodeScanConfiguration
NodeScanConfiguration is the Schema for the nodescanconfigurations API. This is a singleton resource - only one instance named "default" is allowed.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
NodeScanConfigurationList
NodeScanConfigurationList contains a list of NodeScanConfiguration.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
NodeScanConfigurationSpec
NodeScanConfigurationSpec defines the desired configuration for node scanning.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Enabled controls whether node scanning is active. |
true |
|
|
NodeSelector filters which nodes are scanned. |
Optional: \{} |
|
|
ScanInterval is the interval at which nodes are scanned. |
Optional: \{} |
|
|
SkipPatterns specifies gitignore-style patterns for directories and files to skip during node scanning. If unset, container-runtime state is skipped by default: |
[/var/lib/containerd/ /var/lib/docker/ /var/lib/rancher/k3s/agent/containerd/ /var/lib/rancher/rke2/agent/containerd/ /var/lib/containers/ /run/containerd/ /run/k3s/containerd/] |
Optional: \{} |
|
Platforms allows to specify the list of platforms to scan. |
Optional: \{} |
NodeScanJob
NodeScanJob is the Schema for the nodescanjobs API.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
|||
|
NodeScanJobList
NodeScanJobList contains a list of NodeScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
NodeScanJobSpec
NodeScanJobSpec defines the desired state of NodeScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
NodeName specifies the name of the node to be scanned. |
NodeScanJobStatus
NodeScanJobStatus defines the observed state of NodeScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Conditions represent the latest available observations of ScanJob state |
Optional: \{} |
|
|
StartTime is when the job started processing. |
Optional: \{} |
|
|
CompletionTime is when the job completed or failed. |
Optional: \{} |
Platform
Platform describes the platform which the image in the manifest runs on.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Architecture field specifies the CPU architecture, for example |
||
|
OS specifies the operating system, for example |
||
|
Variant is an optional field specifying a variant of the CPU, for |
Registry
Registry is the Schema for the registries API
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
|||
|
RegistryList
RegistryList contains a list of Registry
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
RegistrySpec
RegistrySpec defines the desired state of Registry
| Field | Description | Default | Validation |
|---|---|---|---|
|
URI is the URI of the container registry |
||
|
CatalogType is the type of catalog used to list the images within the registry. |
||
|
Repositories is the list of the repositories to be scanned |
||
|
AuthSecret is the name of the secret in the same namespace that contains the credentials to access the registry. |
||
|
ScanInterval is the interval at which the registry is scanned. |
||
|
CABundle is the CA bundle to use when connecting to the registry. |
||
|
Insecure allows insecure connections to the registry when set to true. |
||
|
Platforms allows to specify the list of platform to scan. |
RegistryStatus
RegistryStatus defines the observed state of Registry
| Field | Description | Default | Validation |
|---|---|---|---|
|
Repository
Repository specifies an OCI repository and which image tags to scan.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the repository name. |
||
|
MatchConditions filters image tags using CEL expressions. |
||
|
MatchOperator specifies how this condition is combined with other conditions. |
And |
Enum: [And Or] |
ScanJob
ScanJob is the Schema for the scanjobs API.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
|||
|
ScanJobList
ScanJobList contains a list of ScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
ScanJobRepository
ScanJobRepository selects a Registry repository (and optionally a subset of its match conditions) for a targeted ScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the name of a repository declared on the Registry. |
Required: \{} |
|
|
MatchConditions optionally narrows the scan to a subset of the MatchConditions declared on the targeted repository. |
Optional: \{} |
ScanJobSpec
ScanJobSpec defines the desired state of ScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Registry is the registry in the same namespace to scan. |
Required: \{} |
|
|
Repositories optionally narrows the scan to a subset of the repositories configured on the targeted Registry. |
Optional: \{} |
ScanJobStatus
ScanJobStatus defines the observed state of ScanJob.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Conditions represent the latest available observations of ScanJob state |
Optional: \{} |
|
|
ImagesCount is the number of images in the registry. |
||
|
ScannedImagesCount is the number of images that have been scanned. |
||
|
StartTime is when the job started processing. |
Optional: \{} |
|
|
CompletionTime is when the job completed or failed. |
Optional: \{} |
VEXHub
VEXHub is the Schema for the vexhubs API
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
Optional: \{} |
|
|
spec defines the desired state of VEXHub |
Required: \{} |
|
|
status defines the observed state of VEXHub |
Optional: \{} |
VEXHubList
VEXHubList contains a list of VEXHub
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
VEXHubSpec
VEXHubSpec defines the desired state of VEXHub
| Field | Description | Default | Validation |
|---|---|---|---|
|
URL is the URL of the VEXHub repository |
||
|
Enabled tells if the VEX Hub is enabled for processing |
WorkloadScanConfiguration
WorkloadScanConfiguration is the Schema for the workloadscanconfigurations API. This is a singleton resource - only one instance named "default" is allowed.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
WorkloadScanConfigurationList
WorkloadScanConfigurationList contains a list of WorkloadScanConfiguration.
| Field | Description | Default | Validation |
|---|---|---|---|
|
|
||
|
|
||
|
Refer to Kubernetes API documentation for fields of |
||
|
WorkloadScanConfigurationSpec
WorkloadScanConfigurationSpec defines the desired configuration for workload scanning.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Enabled controls whether workload scanning is active. |
true |
|
|
NamespaceSelector filters which namespaces are scanned for workloads. |
Optional: \{} |
|
|
ArtifactsNamespace is the namespace where scan artifacts (Registry, ScanJob, SBOM, VulnerabilityReport) are created. |
Optional: \{} |
|
|
ScanInterval is the interval at which discovered registries are scanned. |
Optional: \{} |
|
|
ScanOnChange triggers a scan when a managed Registry resource is created or updated. |
true |
Optional: \{} |
|
AuthSecret is the name of a secret in the installation namespace containing credentials to access registries. |
Optional: \{} |
|
|
CABundle is the CA bundle to use when connecting to registries. |
Optional: \{} |
|
|
Insecure allows insecure connections to registries when set to true. |
Optional: \{} |
|
|
Platforms specifies which platforms to scan for container images. |
Optional: \{} |
storage.sbomscanner.kubewarden.io/v1alpha1
Package v1alpha1 contains the storage v1alpha1 types for SBOMscanner.
CVSS
CVSS holds Common Vulnerability Scoring System data for a vulnerability.
| Field | Description | Default | Validation |
|---|---|---|---|
|
V3Vector string (e.g., "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") |
||
|
V3Score numerical score |
ContainerRef
ContainerRef identifies a container and its image reference for vulnerability lookup.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the name of the container. |
||
|
ImageRef identifies which VulnerabilityReports to associate with this container. |
ContainerResult
ContainerResult contains the vulnerability scan results for a single container.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the name of the container (matches ContainerRef.Name). |
||
|
VulnerabilityReports contains the vulnerability reports for this container’s image. |
Optional: \{} |
ContainerStatus
ContainerStatus contains the scan status for a single container.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the name of the container (matches ContainerRef.Name). |
||
|
ScanStatus indicates the scan status for this container. |
Image
Image is the Schema for the images API
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
|
Metadata of the image |
||
|
List of the layers that make the image |
||
|
Status of the image |
ImageLayer
ImageLayer define a layer part of an OCI Image
| Field | Description | Default | Validation |
|---|---|---|---|
|
command is the command that led to the creation |
||
|
digest is the Hash of the compressed layer |
||
|
diffID is the Hash of the uncompressed layer |
ImageMetadata
ImageMetadata contains the metadata details of an image.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Registry specifies the name of the Registry object in the same namespace where the image is stored. |
||
|
RegistryURI specifies the URI of the registry where the image is stored. Example: "registry-1.docker.io:5000".` |
||
|
Repository specifies the repository path of the image. Example: "kubewarden/sbomscanner". |
||
|
Tag specifies the tag of the image. Example: "latest". |
||
|
Platform specifies the platform of the image. Example "linux/amd64". |
||
|
Digest specifies the image manifest digest. |
||
|
IndexDigest specifies the image index digest that referenced this manifest. Set only for multi-arch images. |
ImageRef
ImageRef identifies a set of VulnerabilityReports by image reference.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Registry is the name of the Registry custom resource. |
||
|
Namespace is the namespace where the VulnerabilityReports are stored. |
||
|
Repository is the repository path of the image. |
||
|
Tag is the tag of the image. |
ImageStatus
ImageStatus contains the observed state of the Image
| Field | Description | Default | Validation |
|---|---|---|---|
|
WorkloadScanReports is the list of workloads referencing this image |
ImageWorkloadScanReports
ImageWorkloadScanReports identifies a workload that references this image
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name of the WorkloadScanReport |
||
|
Namespace of the WorkloadScanReport |
NodeMetadata
NodeMetadata contains the metadata details of a node.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name specifies the name of the node. |
||
|
Platform specifies the platform of the image. Example "linux/amd64". |
NodeSBOM
NodeSBOM represents a Software Bill of Materials of a node
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
|
|||
|
SPDX contains the SPDX document of the SBOM in JSON format |
NodeVulnerabilityReport
NodeVulnerabilityReport is the Schema for the scanresults API
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
|
NodeMetadata contains info about the scanned node |
||
|
Report is the actual vulnerability scan report |
Report
Report contains metadata about the scanned image and a list of vulnerability results.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Summary of vulnerabilities found |
||
|
Results per target (e.g., layer, package type) |
Result
Result represents scan findings for a specific target and class of packages
| Field | Description | Default | Validation |
|---|---|---|---|
|
Target is the specific target scanned |
||
|
Class is the classification of the target |
||
|
Type is the language type |
||
|
Vulnerabilities found in this target |
SBOM
SBOM represents a Software Bill of Materials of an OCI artifact
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
|
|||
|
SPDX contains the SPDX document of the SBOM in JSON format |
ScanStatus
Underlying type: string
ScanStatus represents the status of a container’s vulnerability scan.
Summary
Summary provides a high-level overview of the vulnerabilities found.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Critical vulnerabilities count |
||
|
High vulnerabilities count |
||
|
Medium vulnerabilities count |
||
|
Low vulnerabilities count |
||
|
Unknown vulnerabilities count |
||
|
Suppressed vulnerabilities count |
VEXStatus
VEXStatus represents the status of a vulnerability as declared in a VEX document
| Field | Description | Default | Validation |
|---|---|---|---|
|
Repository providing the VEX document |
||
|
VEX status (e.g., "not_affected", "fixed", "under_investigation") |
||
|
Statement optionally explain statement from the VEX document |
Vulnerability
Vulnerability contains detailed information about a single vulnerability found in a package
| Field | Description | Default | Validation |
|---|---|---|---|
|
CVE identifier |
||
|
Title is the title of the vulnerability |
||
|
PackageName is the name of the vulnerable package |
||
|
PackagePath is the path where the package was found |
||
|
PURL (Package URL) identify the package uniquely |
||
|
InstalledVersion of the package that was found |
||
|
FixedVersions is the list of versions where the vulnerability is fixed |
||
|
DiffID of the image layer where the vulnerability was introduced |
||
|
Description of the vulnerability |
||
|
Severity rating (e.g., "HIGH", "MEDIUM") |
||
|
SeveritySource identifies the vendor that produced the Severity |
||
|
References contains URLs for more information |
||
|
CVSS scoring details |
||
|
CWEs with which the CVE is classified |
||
|
Suppressed identify when vulnerability has |
||
|
VEXStatus information |
VulnerabilityReport
VulnerabilityReport is the Schema for the scanresults API
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
|
ImageMetadata contains info about the scanned image |
||
|
Report is the actual vulnerability scan report |
WorkloadScanReport
WorkloadScanReport represents the vulnerability scan results for a workload’s containers.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Refer to Kubernetes API documentation for fields of |
||
Spec contains the workload container references, written by the reconciler. |
|||
|
Status contains the scan status for each container. |
Optional: \{} |
|
|
Summary provides aggregated vulnerability counts across all containers. |
Optional: \{} |
|
|
Containers contains the vulnerability reports for each container. |
Optional: \{} |
WorkloadScanReportSpec
WorkloadScanReportSpec defines the containers to scan.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Containers contains the list of containers in the workload with their image references. |
WorkloadScanReportStatus
WorkloadScanReportStatus contains the observed scan state for the workload.
| Field | Description | Default | Validation |
|---|---|---|---|
|
ContainerStatuses contains the scan status for each container. |
Optional: \{} |
WorkloadScanVulnerabilityReport
WorkloadScanVulnerabilityReport contains vulnerability report data for a specific platform.
| Field | Description | Default | Validation |
|---|---|---|---|
|
Name is the name of the VulnerabilityReport. |
||
|
Namespace is the namespace where the VulnerabilityReport is stored. |
||
|
ImageMetadata contains the VulnerabilityReport’s image metadata. |
||
|
Report is the actual vulnerability scan report. |