CRD Reference

name string

Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes.
A good name should be descriptive of the associated expression.

expression string

Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

labels object (keys:string, values:string)

Labels are key-value pairs that can be used to organize and categorize match conditions.

arch string

Architecture field specifies the CPU architecture, for example
amd64 or ppc64le.

os string

OS specifies the operating system, for example linux or windows.

variant string

Variant is an optional field specifying a variant of the CPU, for
example v7 to specify ARMv7 when architecture is arm.

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

Registry

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec RegistrySpec

status RegistryStatus

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

RegistryList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items Registry array

uri string

URI is the URI of the container registry

catalogType string

CatalogType is the type of catalog used to list the images within the registry.

repositories Repository array

Repositories is the list of the repositories to be scanned
An empty list means all the repositories found in the registry are going to be scanned.

authSecret string

AuthSecret is the name of the secret in the same namespace that contains the credentials to access the registry.
The secret must be in dockerconfigjson format. See: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

scanInterval Duration

ScanInterval is the interval at which the registry is scanned.
If not set, automatic scanning is disabled.

caBundle string

CABundle is the CA bundle to use when connecting to the registry.

insecure boolean

Insecure allows insecure connections to the registry when set to true.

platforms Platform array

Platforms allows to specify the list of platform to scan.
If not set, all the available platforms of a container image will be scanned.

conditions Condition array

name string

Name is the repository name.

matchConditions MatchCondition array

MatchConditions filters image tags using CEL expressions.

matchOperator MatchOperator

MatchOperator specifies how this condition is combined with other conditions.
When set to "And" (default), all conditions must pass for the filter to match.
When set to "Or", at least one condition must pass for the filter to match.

And

Enum: [And Or]
Optional: \{}

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

ScanJob

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ScanJobSpec

status ScanJobStatus

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

ScanJobList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items ScanJob array

name string

Name is the name of a repository declared on the Registry.

Required: \{}

matchConditions string array

MatchConditions optionally narrows the scan to a subset of the MatchConditions declared on the targeted repository.
Each entry must reference an existing MatchCondition by name.
When empty, all MatchConditions of the repository apply.

Optional: \{}

registry string

Registry is the registry in the same namespace to scan.

Required: \{}

repositories ScanJobRepository array

Repositories optionally narrows the scan to a subset of the repositories configured on the targeted Registry.
When empty, all repositories of the Registry are scanned.

Optional: \{}

conditions Condition array

Conditions represent the latest available observations of ScanJob state

Optional: \{}

imagesCount integer

ImagesCount is the number of images in the registry.

scannedImagesCount integer

ScannedImagesCount is the number of images that have been scanned.

startTime Time

StartTime is when the job started processing.

Optional: \{}

completionTime Time

CompletionTime is when the job completed or failed.

Optional: \{}

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

VEXHub

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

Optional: \{}

spec VEXHubSpec

spec defines the desired state of VEXHub

Required: \{}

status VEXHubStatus

status defines the observed state of VEXHub

Optional: \{}

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

VEXHubList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items VEXHub array

url string

URL is the URL of the VEXHub repository

enabled boolean

Enabled tells if the VEX Hub is enabled for processing

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

WorkloadScanConfiguration

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec WorkloadScanConfigurationSpec

apiVersion string

sbomscanner.kubewarden.io/v1alpha1

kind string

WorkloadScanConfigurationList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items WorkloadScanConfiguration array

enabled boolean

Enabled controls whether workload scanning is active.

true

namespaceSelector LabelSelector

NamespaceSelector filters which namespaces are scanned for workloads.
If not specified, workloads in all namespaces are scanned.

Optional: \{}

artifactsNamespace string

ArtifactsNamespace is the namespace where scan artifacts (Registry, ScanJob, SBOM, VulnerabilityReport) are created.
When empty, artifacts are created in the workload’s own namespace.
Can only be changed when Enabled is false.
Note: WorkloadScanReport resources are always created in the workload’s namespace, regardless of this setting.

Optional: \{}

scanInterval Duration

ScanInterval is the interval at which discovered registries are scanned.

Optional: \{}

scanOnChange boolean

ScanOnChange triggers a scan when a managed Registry resource is created or updated.
Defaults to true.

true

Optional: \{}

authSecret string

AuthSecret is the name of a secret in the installation namespace containing credentials to access registries.
The secret must be in dockerconfigjson format. See: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Optional: \{}

caBundle string

CABundle is the CA bundle to use when connecting to registries.

Optional: \{}

insecure boolean

Insecure allows insecure connections to registries when set to true.

Optional: \{}

platforms Platform array

Platforms specifies which platforms to scan for container images.
If not specified, all platforms available in the image manifest will be scanned.

Optional: \{}

v3vector string

V3Vector string (e.g., "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")

v3score string

V3Score numerical score

name string

Name is the name of the container.

imageRef ImageRef

ImageRef identifies which VulnerabilityReports to associate with this container.

name string

Name is the name of the container (matches ContainerRef.Name).

vulnerabilityReports WorkloadScanVulnerabilityReport array

VulnerabilityReports contains the vulnerability reports for this container’s image.
Multiple reports may exist for multi-arch images (one per platform).

Optional: \{}

name string

Name is the name of the container (matches ContainerRef.Name).

scanStatus ScanStatus

ScanStatus indicates the scan status for this container.

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

imageMetadata ImageMetadata

Metadata of the image

layers ImageLayer array

List of the layers that make the image

status ImageStatus

Status of the image

command string

command is the command that led to the creation
of the layer. The contents are base64 encoded

digest string

digest is the Hash of the compressed layer

diffID string

diffID is the Hash of the uncompressed layer

registry string

Registry specifies the name of the Registry object in the same namespace where the image is stored.

registryURI string

RegistryURI specifies the URI of the registry where the image is stored. Example: "registry-1.docker.io:5000".`

repository string

Repository specifies the repository path of the image. Example: "kubewarden/sbomscanner".

tag string

Tag specifies the tag of the image. Example: "latest".

platform string

Platform specifies the platform of the image. Example "linux/amd64".

digest string

Digest specifies the image manifest digest.

indexDigest string

IndexDigest specifies the image index digest that referenced this manifest. Set only for multi-arch images.

registry string

Registry is the name of the Registry custom resource.

namespace string

Namespace is the namespace where the VulnerabilityReports are stored.

repository string

Repository is the repository path of the image.

tag string

Tag is the tag of the image.

workloadScanReports ImageWorkloadScanReports array

WorkloadScanReports is the list of workloads referencing this image

name string

Name of the WorkloadScanReport

namespace string

Namespace of the WorkloadScanReport

summary Summary

Summary of vulnerabilities found

results Result array

Results per target (e.g., layer, package type)

target string

Target is the specific target scanned

class Class

Class is the classification of the target

type string

Type is the language type

vulnerabilities Vulnerability array

Vulnerabilities found in this target

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

imageMetadata ImageMetadata

spdx RawExtension

SPDX contains the SPDX document of the SBOM in JSON format

critical integer

Critical vulnerabilities count

high integer

High vulnerabilities count

medium integer

Medium vulnerabilities count

low integer

Low vulnerabilities count

unknown integer

Unknown vulnerabilities count

suppressed integer

Suppressed vulnerabilities count

repository string

Repository providing the VEX document

status string

VEX status (e.g., "not_affected", "fixed", "under_investigation")

statement string

Statement optionally explain statement from the VEX document

cve string

CVE identifier

title string

Title is the title of the vulnerability

packageName string

PackageName is the name of the vulnerable package
(empty when Class is "binary")

packagePath string

PackagePath is the path where the package was found
(equal to Target when Class is "binary").
trivy removes the "/" at the beginning of the path
so we have to restore it.

purl string

PURL (Package URL) identify the package uniquely

installedVersion string

InstalledVersion of the package that was found

fixedVersions string array

FixedVersions is the list of versions where the vulnerability is fixed

diffID string

DiffID of the image layer where the vulnerability was introduced

description string

Description of the vulnerability

severity string

Severity rating (e.g., "HIGH", "MEDIUM")

severitySource string

SeveritySource identifies the vendor that produced the Severity
(e.g. "nvd", "ghsa", "redhat", "alpine").
Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.
May be empty when the source vendor is not known.

references string array

References contains URLs for more information

cvss object (keys:string, values:CVSS)

CVSS scoring details

cwes string array

CWEs with which the CVE is classified

suppressed boolean

Suppressed identify when vulnerability has
been suppressed by VEX documents

vexStatus VEXStatus

VEXStatus information

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

imageMetadata ImageMetadata

ImageMetadata contains info about the scanned image

report Report

Report is the actual vulnerability scan report

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec WorkloadScanReportSpec

Spec contains the workload container references, written by the reconciler.

status WorkloadScanReportStatus

Status contains the scan status for each container.
Populated at read time.

Optional: \{}

summary Summary

Summary provides aggregated vulnerability counts across all containers.
Vulnerabilities are deduplicated per container (same CVE across platforms counts as 1),
then summed across all containers.
Populated at read time.

Optional: \{}

containers ContainerResult array

Containers contains the vulnerability reports for each container.
Populated at read time by joining with VulnerabilityReport data.

Optional: \{}

containers ContainerRef array

Containers contains the list of containers in the workload with their image references.

containerStatuses ContainerStatus array

ContainerStatuses contains the scan status for each container.

Optional: \{}

name string

Name is the name of the VulnerabilityReport.

namespace string

Namespace is the namespace where the VulnerabilityReport is stored.

imageMetadata ImageMetadata

ImageMetadata contains the VulnerabilityReport’s image metadata.

report Report

Report is the actual vulnerability scan report.