Air Gap Support

SUSE Security Vulnerability Scanner can be used in air-gapped environments.

To run the scans, SUSE Security Vulnerability Scanner currently needs the following external sources:

Vulnerability Database
Java Vulnerability Database
VEX Hub (optional)

These external sources can be self-hosted in your private infrastructure to make the whole environment air-gapped.

Self-Hosting Vulnerability Databases

The following Vulnerability Databases are packaged as OCI images, allowing you to host them in your own registry:

Once mirrored in your own OCI registry, you can install SUSE Security Vulnerability Scanner to point to them:

helm install sbomscanner ./chart \
    --set worker.trivyDBRepository="yourlocalregistry.example/sbomscanner/trivy-db" \
    --set worker.trivyJavaDBRepository="yourlocalregistry.example/sbomscanner/trivy-java-db"

Self-Hosting VEX Hub

To setup your own VEX Hub repository, please refer to this guide.

Change the repository_url (if any) within the VEX files, to point to the internal registries.

All you need to do is to setup an HTTP server to provide the needed files for VEX.

By default, SUSE Security Vulnerability Scanner seeds two VEXHub resources pointing to the public github.com/rancher/vexhub and github.com/aquasecurity/vexhub repositories, which are unreachable in an air-gapped environment. Disable this seeding at install time by setting controller.defaultVEXHubResources to false:

helm install sbomscanner ./chart \
    --set controller.defaultVEXHubResources=false

To configure a VEX Hub in SUSE Security Vulnerability Scanner, create a VEXHub resource with your local repository URL and apply it:

apiVersion: sbomscanner.kubewarden.io/v1alpha1
kind: VEXHub
metadata:
  name: local_vexhub
spec:
  url: "https://yourlocalrepo.example/"
  enabled: true