SUSE Security Vulnerability Scanner Quick Start

Welcome to the SUSE Security Vulnerability Scanner Quick Start!

This guide will walk you through the following steps:

  • Deploying the SUSE Security Vulnerability Scanner stack in a Kubernetes cluster

  • Running an automated image scan using a Registry custom resource

Requirements

Before deployment, you need to prepare the following:

  • A Kubernetes cluster (you can simply run a kind cluster)

  • A default Storage Class defined inside of the cluster

  • helm installed locally

  • kubectl installed locally

  • cert-manager installed in the cluster

  • CloudNativePG installed in the cluster

Install cert-manager

To install cert-manager, you can run the following commands:

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true \
  --wait

For more information on configuring cert-manager, please visit the cert-manager documentation

Install CloudNativePG

To install CloudNativePG, you can run the following commands:

helm repo add cnpg https://cloudnative-pg.github.io/charts
helm repo update
helm install cnpg \
  --namespace cnpg-system \
  --create-namespace \
  --wait \
  cnpg/cloudnative-pg

To customize the CloudNativePG installation, refer to Using CloudNativePG (Recommended) in the Helm values documentation. You can also bring your own PostgreSQL instance instead of using CloudNativePG. See Using an External PostgreSQL Instance for configuration details.

Deploy SUSE Security Vulnerability Scanner

Follow these simple steps from your local machine to get SUSE Security Vulnerability Scanner up and running:

Install the Helm chart

helm repo add kubewarden https://charts.kubewarden.io
helm repo update
helm install sbomscanner kubewarden/sbomscanner \
  --namespace sbomscanner \
  --create-namespace \
  --wait

By default, the installation of SUSE Security Vulnerability Scanner is configured to be highly available. If you want to save on resources, you can reduce the number of replicas to the minimum:

helm install sbomscanner kubewarden/sbomscanner \
  --namespace sbomscanner \
  --create-namespace \
  --set controller.replicas=1 \
  --set storage.replicas=1 \
  --set storage.postgres.cnpg.instances=1 \
  --set worker.replicas=1 \
  --wait

This configuration is suitable for development environments where high availability is not required.

Verify the Deployment

After installation, ensure all pods are running:

kubectl get pods -n sbomscanner

Example output:

sbomscanner           sbomscanner-controller-7f568c88dc-bmjgs       1/1     Running
sbomscanner           sbomscanner-controller-7f568c88dc-gcgbn       1/1     Running
sbomscanner           sbomscanner-controller-7f568c88dc-q7hbh       1/1     Running
sbomscanner           sbomscanner-nats-0                            2/2     Running
sbomscanner           sbomscanner-nats-1                            2/2     Running
sbomscanner           sbomscanner-nats-2                            2/2     Running
sbomscanner           sbomscanner-storage-5f596cd8f8-4t7z8          1/1     Running
sbomscanner           sbomscanner-worker-d9d68c5c-5dtck             1/1     Running
sbomscanner           sbomscanner-worker-d9d68c5c-qcp7n             1/1     Running
sbomscanner           sbomscanner-worker-d9d68c5c-tlpgm             1/1     Running

Summary

At this point, your SUSE Security Vulnerability Scanner deployment is up and running successfully. You’re now ready to begin scanning images and generating reports!

Run a Scan

In this section, you’ll learn how to create a registry source and trigger an automated scan.

Prepare a registry.yaml file

Before running a scan, you need to define a Registry custom resource for SUSE Security Vulnerability Scanner to fetch images.

apiVersion: sbomscanner.kubewarden.io/v1alpha1
kind: Registry
metadata:
  name: test-registry
  namespace: default
spec:
  uri: ghcr.io
  repositories:
    - name: kubewarden/sbomscanner/test-assets/golang

Connecting to registries with custom CAs or insecure transport

If you need to connect to a registry that uses a self-signed or private certificate authority, provide a PEM-encoded CA bundle via spec.caBundle:

spec:
  uri: my-registry.example.com
  caBundle: |
    -----BEGIN CERTIFICATE-----
    <base64-encoded certificate>
    -----END CERTIFICATE-----
  repositories:
    - name: my-org/my-image

For development or testing against a registry that uses an untrusted certificate, you can disable TLS verification by setting spec.insecure to true:

spec:
  uri: my-registry.example.com
  insecure: true
  repositories:
    - name: my-org/my-image

Do not enable insecure in production environments, as it disables TLS certificate verification when connecting to the registry.

Create the Registry CR

kubectl apply -f registry.yaml

Prepare a scan-job.yaml

The ScanJob CR tells SUSE Security Vulnerability Scanner which registry to scan.

apiVersion: sbomscanner.kubewarden.io/v1alpha1
kind: ScanJob
metadata:
  name: test-scanjob
  namespace: default
spec:
  registry: test-registry

Create a ScanJob CR

kubectl apply -f scanjob.yaml

Wait for Results

Once the scan completes, check the generated SBOMs and vulnerability reports:

kubectl get sbom -n default
kubectl get vulnerabilityreport -n default

You should see output like:

NAME                                                               CREATED AT
2ca3e0b033d523509544cb6f31c626af2a710d7dbcc15cb9dffced2e4634d69b   2025-06-10T10:26:38Z
...

Summary

You’ve successfully created a real-world Registry resource and triggered an automated scan.

You can jump to the Querying reports guide to learn how to query and inspect the generated images, SBOMs, and vulnerability reports.